Unable to recover EFS file using recovery agent

[Guest]

While restructuring our network, I moved several user accounts from an old
domain to a new one using the migration tool. However, after migrating the
accounts, I am unable to decrypt files stored locally on a workstation that
had been encrypted with the "old" account.

The user EFS certificate is still installed. However, if I try to export
the certificate, XP says the private key is unavailable.

No problem, I'll just use the recovery agent. I imported the recovery agent
certificate to the workstation, but the files still don't decrypt. I backed
up and restored to a different machine, imported the certificate, and still
am having no luck. I have tried using aefsdr. Providing the original user
name and password, I can decrypt the private key, but the files will still
not decrypt.

I suspect the problem is related to something in the file rather than the
key or certificate. Is it possible the workstation used a different
symmetric algorithm than is being used on the other machines? How can I tell?

Thanks.
Dan

 

[Guest]

When you import the File Recovery certificate, are you importing from a .pfx
file? (A PFX file contains both the certificate and private key.) Is the
thumbprint on the File Recovery certificate that you're importing the same
thumbprint that is listed on the files (open the file's
Properties>Advanced>Details and look in the listbox for "Data Recovery Agents
For This File")?

The symmetric algorithm on Win2K is DESX, WinXP RTM is DESX, and WinXP SP1+
is AES. You can restore DESX files on WinXP, but you cannot restore AES
files on Win2K.

Thanks.
Pat

 

[Guest]

Thanks for the quick reply, and sorry it's taken so long for me to get back
to you.

I did import the recovery certificate from a .pfx file. Using the
certificates snap in, it shows the recovery certificate in my user account.
It also indicates I have a private key that corresponds this certificate. To
verify I could access the private key, I exported the certificate along with
the private key (not deleting the private key, of course). I once again
compared the certificate thumnails, and they match.

It appears I have the correct certificate and key. I have no way of knowing
at what step the decryption is failing, so I am just shooting in the dark.
Do you know of any way to log the decryption process to find out specifically
what is happening?

thanks,
Dan

 

[Guest]

No, there's no logging that will help in this case. We're really puzzled
that this didn't work, so could you answer a few more questions?

1. I'm assuming you're trying to restore the files on a WinXPsp1+ machine,
is that right? We can then rule out algorithm incompatibility.
2. Would you encrypt a new file on that machine and compare the thumbprint
of the recovery agent certificate that applies to the new file with the one
that you imported. Is it the same?
3. Could you also send a breakdown of the steps you've gone through so
far--from the backing up of the files to restoring them on the current
machine? Include the OSes involved and who you were logged on as, too. This
may provide some clues of what's missing, etc.

Thanks.
Pat

 

[Guest]

Regarding your questions:
1. Yes, it is a XP SP2 machine. I have also tried on an SP1 machine.
2. I have re-encrypted a file on the new machine. Because this machine is
now part of a different domain, the recovery agent is different. The new
recovery agent is the domain administrator, as expected.
3. I have tried several different procedures to try to regain access to
these files. The steps below detail how I have gotten to my current scenario.
a. Used the mmc snap-in domain migration tool to migrate user account from
old domain to new domain. Should have decrypted files first but didn't.
b. Unable to access decrypted files. Un-migrated user account. Still
unable to access. Re-migrated to new domain.
c. Tried to decrypt by importing recovery certificate, but without any luck.
d. Decided to try fresh install of XP. Installed to new partition, separate
from the partition with the encrypted files. Upgraded to SP2. Imported
recovery certificate (made sure thumbnails matched and private key was
accessible).
e. Receive "Access denied" message box when trying to decrypt files through
windows explorer.

I have spent far more time on this then what the files are worth to me.
Right now, I am doing this just to gain a better understanding of EFS and
potential (and real) pitfalls. I can send you a sample file and the recovery
certificate with private key. The recovery certificate is no longer
protecting anything important, and there is nothing sensitive in the file I
would send.

Thanks,
Dan

 

[Guest]

I'm suspecting #2 may indicate the problem. When you access an encrypted
file with a valid key (such as the former recovery cert), EFS first checks
the policy of the current machine before opening/decrypting the file for you.
If the policy is different, EFS updates the policy on the file before
opening it. That means the file now has a different recovery cert and your
former recovery cert is no longer valid. It's sort of a "Catch22." Your key
allowed EFS to update policy on the file; but after the update, your key was
not longer valid so EFS couldn't open the file for you. You can check that
by restoring a file on the WXP that's in the new domain, touch the file
(That's all that's needed), and then recheck the thumbprint of the recovery
agent certificate on that file. If your old recovery cert worked, the new
recovery cert will appear on the file. You can then decrypt the file with
the new recovery cert.

Hope that solves it.

Thanks.
Pat