Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

EFS Basics (I don't get it)

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 11-19-2007
Jake
 

Posts: n/a
EFS Basics (I don't get it)
I need some help understanding how to use EFS. Maybe I'm just stupid
but I've not been able to grasp how this works and especially to simply
get it to work as I want.

I've read over and over again that I can encrypt files on one PC and use
them on another one, as long as I "import" the "key".. BTW, I'm lost
on this public/private/key/certificate stuff.. I have read the help
files and numerous other material and the more I read the more confused
I get.

Ultimately I want to encrypt files on my Vista Ultimate laptop and back
them up then have the capability to restore them to another PC (XP Pro
or Vista ULT) and get access to them if necessary. I would like to
protect my data from prying eyes in case the PC is stolen. (BitLocker
isn't an option since my PC has no TPM chip and I'm not willing to
keep up with a thumbdrive just to get into my PC and especially don't
want to depend on myself not losing that thumbrive.)

I'm a home user. I have no Active Directory Domain nor do I want one.
I'm also not at all interested in reading some in-depth multi-chapter
whitepaper that's tailored to the corporate security chief.

What I need are straight-up answers to simple questions that I can't
find ANYWHERE on any Microsoft document that I've been able to locate.

I want to be able to ensure I can open my encrypted files on another PC
in case my laptop is stolen and I need to restore these encrypted files
from a backup to another computer. Yes I am fully aware that Vista's
file backup doesn't even attempt to backup encrypted files so I'm
testing with some backup programs that do. (Thanks alot Microsoft!)

As a test I've tried this:

I create a folder on a thumbdrive and copy a few files to it and then
encrypt the folder and contents. Fine.. works good.

I export my certificate/key/whatever to a file. (Is it a key or a
certificate - I see the terms used interchangably and THAT makes this
whole thing unnecessarily hard to understand)

I go to another PC and import this thing that I've exported.

I pull the thumbdrive from PC1 and insert into PC2 and try to read the
encrypted files.. "Access denied" ..

I try to remove the encryption and get " you will need to provide
administrator permission to change these attributes". I am an
administrator so how do I do this?

I've even created a recovery agent and exported that certificate and
imported it onto PC2.. no luck.

No matter what I try I am unable to open or decrypt any files on PC2
that were encrypted on PC1. This is supposed to be possible from what
I've read yet no one can demonstrate how it works.

What am I doing wrong or what am I missing? Is this even possible?
This really needs to be easier, or rather better documented.

Any help would be much appreciated
Bryan
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 11-19-2007
Kerry Brown
 

Posts: n/a
Re: EFS Basics (I don't get it)
EFS works but it is not really designed to do what you want. It can be made
to do this but as you have found out it is better suited to a domain
environment. I recommend you look for a 3rd party application to do what you
want.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Jake" <Jaker00at@Yahoo.com> wrote in message
news:Xns99ED1175DE1EEBryanbahotmailcom@66.250.146. 128...
>I need some help understanding how to use EFS. Maybe I'm just stupid
> but I've not been able to grasp how this works and especially to simply
> get it to work as I want.
>
> I've read over and over again that I can encrypt files on one PC and use
> them on another one, as long as I "import" the "key".. BTW, I'm lost
> on this public/private/key/certificate stuff.. I have read the help
> files and numerous other material and the more I read the more confused
> I get.
>
> Ultimately I want to encrypt files on my Vista Ultimate laptop and back
> them up then have the capability to restore them to another PC (XP Pro
> or Vista ULT) and get access to them if necessary. I would like to
> protect my data from prying eyes in case the PC is stolen. (BitLocker
> isn't an option since my PC has no TPM chip and I'm not willing to
> keep up with a thumbdrive just to get into my PC and especially don't
> want to depend on myself not losing that thumbrive.)
>
> I'm a home user. I have no Active Directory Domain nor do I want one.
> I'm also not at all interested in reading some in-depth multi-chapter
> whitepaper that's tailored to the corporate security chief.
>
> What I need are straight-up answers to simple questions that I can't
> find ANYWHERE on any Microsoft document that I've been able to locate.
>
> I want to be able to ensure I can open my encrypted files on another PC
> in case my laptop is stolen and I need to restore these encrypted files
> from a backup to another computer. Yes I am fully aware that Vista's
> file backup doesn't even attempt to backup encrypted files so I'm
> testing with some backup programs that do. (Thanks alot Microsoft!)
>
> As a test I've tried this:
>
> I create a folder on a thumbdrive and copy a few files to it and then
> encrypt the folder and contents. Fine.. works good.
>
> I export my certificate/key/whatever to a file. (Is it a key or a
> certificate - I see the terms used interchangably and THAT makes this
> whole thing unnecessarily hard to understand)
>
> I go to another PC and import this thing that I've exported.
>
> I pull the thumbdrive from PC1 and insert into PC2 and try to read the
> encrypted files.. "Access denied" ..
>
> I try to remove the encryption and get " you will need to provide
> administrator permission to change these attributes". I am an
> administrator so how do I do this?
>
> I've even created a recovery agent and exported that certificate and
> imported it onto PC2.. no luck.
>
> No matter what I try I am unable to open or decrypt any files on PC2
> that were encrypted on PC1. This is supposed to be possible from what
> I've read yet no one can demonstrate how it works.
>
> What am I doing wrong or what am I missing? Is this even possible?
> This really needs to be easier, or rather better documented.
>
> Any help would be much appreciated
> Bryan


Reply With Quote
  #3 (permalink)  
Old 11-19-2007
Jake
 

Posts: n/a
Re: EFS Basics (I don't get it)
Thanks Kerry for the response. I was afraid that would be the answer.
I'm not opposed to using a 3rd party solution but I know of none.

What I can't understand is why this doesn't work as it's documented.
Why can't I open or decrypt these files EVEN AFTER importing the key
that was used to encrypt them? I've followed instructions step-by-step
from Microsoft and other sources with the same results. The
documentation states it can be done and I would like to know how. At the
very least the Recovery Agent should be able to do this.. But it can't.

I'm not illiterate with regard to IT Adminstration, Active Directory,
etc. I manage IT infrastructures for 3 small businesses and have 10
years experience with supporting corporate IT environments so as you can
imagine this is particuarly frustrating for me to not be able to get to
work. The documentation says it can be done and yet I've not seen a
single example of how to restore encrypted files to an alternate PC, Is
it even possible?

What's missing from my test? Can you enlighten me a bit more so I can
learn this stuff and why it isn't working, instead of just saying that
it's not suitable for me?

Can you list 2-3 3rd party products that I can research?

Thanks
Bryan



"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in
news:88BC9E22-E98C-4E87-9214-EDD18CB98ECD@microsoft.com:

> EFS works but it is not really designed to do what you want. It can be
> made to do this but as you have found out it is better suited to a
> domain environment. I recommend you look for a 3rd party application
> to do what you want.
>


Reply With Quote
  #4 (permalink)  
Old 11-19-2007
Kerry Brown
 

Posts: n/a
Re: EFS Basics (I don't get it)
I have done it with XP to XP. It was very cumbersome to set up and I was
afraid that sooner or later data would be lost. I decided I didn't really
need encryption. With Vista you have the added problem of making sure the
certificate gets into the right store. When importing the certificate you
have run certmgr.msc using Run as administrator and make sure the
certificate gets into the right physical location.

Make sure you are logged in as the user who will need to decrypt the files.
They will need to be in the local administrators group at this point.
In Start Search type "certmgr.msc"
Right click on it at the top of the list and pick Run as administrator.
From the View menu pick Options
Put a Check beside Physical certificate stores.

I'm guessing which store to put it in. This next part could be wrong.

Expand Personal => Registry => Certificates
Right click on Certificates and pick Import.
Browse to the certificate and import it.

That user should now be able to decrypt the files. If that doesn't work then
I've got the store location wrong.

You should be able to remove the user from the local administrators group
now if you want to. The reason they need to be there when importing is so
certmgr.msc runs in the right context. If they are a standard user and you
pick Run as administrator the cert will get imported into the user profile
that you specify at the UAC prompt. Let me know if this works as I haven't
tested it.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca


"Jake" <Jaker00at@Yahoo.com> wrote in message
news:Xns99ED7083E3C7DBryanbahotmailcom@66.250.146. 128...
> Thanks Kerry for the response. I was afraid that would be the answer.
> I'm not opposed to using a 3rd party solution but I know of none.
>
> What I can't understand is why this doesn't work as it's documented.
> Why can't I open or decrypt these files EVEN AFTER importing the key
> that was used to encrypt them? I've followed instructions step-by-step
> from Microsoft and other sources with the same results. The
> documentation states it can be done and I would like to know how. At the
> very least the Recovery Agent should be able to do this.. But it can't.
>
> I'm not illiterate with regard to IT Adminstration, Active Directory,
> etc. I manage IT infrastructures for 3 small businesses and have 10
> years experience with supporting corporate IT environments so as you can
> imagine this is particuarly frustrating for me to not be able to get to
> work. The documentation says it can be done and yet I've not seen a
> single example of how to restore encrypted files to an alternate PC, Is
> it even possible?
>
> What's missing from my test? Can you enlighten me a bit more so I can
> learn this stuff and why it isn't working, instead of just saying that
> it's not suitable for me?
>
> Can you list 2-3 3rd party products that I can research?
>
> Thanks
> Bryan
>
>
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in
> news:88BC9E22-E98C-4E87-9214-EDD18CB98ECD@microsoft.com:
>
>> EFS works but it is not really designed to do what you want. It can be
>> made to do this but as you have found out it is better suited to a
>> domain environment. I recommend you look for a 3rd party application
>> to do what you want.
>>

>


Reply With Quote
  #5 (permalink)  
Old 11-26-2007
Chemical X
 

Posts: n/a
Re: EFS Basics (I don't get it)
Jake & Kerry Brown:
I have also done it with XP to XP, creating a Data Recovery Agent (with
administrative privileges) on a stand-alone PC, and importing the certificate
+ key. It required so much new learning (MMC use, certificate exportation,
importation, & stores, and DRA creation) that it can hardly be recommended to
most end users. However, I felt challenged by it, for better or worse, and
persisted. I have two suggestions. First, the DRA needs to take ownership
of the file to be decrypted. Second, if during the exportation process the
security of the certificate + key was set too high, the DRA will silently
fail to access the key. This occurs without an error message and despite
previous notification that importation of the certificate + key was
successful. In my case, I set the certificate + key to "Prompt for password"
but the DRA never prompted. That was fixed by deleting that certificate and
importing a new one with the lowest level of security.

"Kerry Brown" wrote:

> I have done it with XP to XP. It was very cumbersome to set up and I was
> afraid that sooner or later data would be lost. I decided I didn't really
> need encryption. With Vista you have the added problem of making sure the
> certificate gets into the right store. When importing the certificate you
> have run certmgr.msc using Run as administrator and make sure the
> certificate gets into the right physical location.
>
> Make sure you are logged in as the user who will need to decrypt the files.
> They will need to be in the local administrators group at this point.
> In Start Search type "certmgr.msc"
> Right click on it at the top of the list and pick Run as administrator.
> From the View menu pick Options
> Put a Check beside Physical certificate stores.
>
> I'm guessing which store to put it in. This next part could be wrong.
>
> Expand Personal => Registry => Certificates
> Right click on Certificates and pick Import.
> Browse to the certificate and import it.
>
> That user should now be able to decrypt the files. If that doesn't work then
> I've got the store location wrong.
>
> You should be able to remove the user from the local administrators group
> now if you want to. The reason they need to be there when importing is so
> certmgr.msc runs in the right context. If they are a standard user and you
> pick Run as administrator the cert will get imported into the user profile
> that you specify at the UAC prompt. Let me know if this works as I haven't
> tested it.
>
> --
> Kerry Brown
> Microsoft MVP - Shell/User
> http://www.vistahelp.ca
>
>
> "Jake" <Jaker00at@Yahoo.com> wrote in message
> news:Xns99ED7083E3C7DBryanbahotmailcom@66.250.146. 128...
> > Thanks Kerry for the response. I was afraid that would be the answer.
> > I'm not opposed to using a 3rd party solution but I know of none.
> >
> > What I can't understand is why this doesn't work as it's documented.
> > Why can't I open or decrypt these files EVEN AFTER importing the key
> > that was used to encrypt them? I've followed instructions step-by-step
> > from Microsoft and other sources with the same results. The
> > documentation states it can be done and I would like to know how. At the
> > very least the Recovery Agent should be able to do this.. But it can't.
> >
> > I'm not illiterate with regard to IT Adminstration, Active Directory,
> > etc. I manage IT infrastructures for 3 small businesses and have 10
> > years experience with supporting corporate IT environments so as you can
> > imagine this is particuarly frustrating for me to not be able to get to
> > work. The documentation says it can be done and yet I've not seen a
> > single example of how to restore encrypted files to an alternate PC, Is
> > it even possible?
> >
> > What's missing from my test? Can you enlighten me a bit more so I can
> > learn this stuff and why it isn't working, instead of just saying that
> > it's not suitable for me?
> >
> > Can you list 2-3 3rd party products that I can research?
> >
> > Thanks
> > Bryan
> >
> >
> >
> > "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in
> > news:88BC9E22-E98C-4E87-9214-EDD18CB98ECD@microsoft.com:
> >
> >> EFS works but it is not really designed to do what you want. It can be
> >> made to do this but as you have found out it is better suited to a
> >> domain environment. I recommend you look for a 3rd party application
> >> to do what you want.
> >>

> >

>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
The basics of biometrics Paul Security News 0 08-27-2007 20:20
Basics for Visual Basic 1.00.01 VistaDev Vista Software Development Feed 0 04-28-2007 19:16
Security World: Advanced EFS Data Recovery 3.2 breaks Vista EFS encryption Steve Security News 0 03-05-2007 18:30
Vista VPN basics =?Utf-8?B?RGFuaWVsIExpZWI=?= microsoft.public.windows.vista.general 7 03-01-2007 04:48




All times are GMT +1. The time now is 06:48.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120