Any way to retrieve encrypted files?

[Brazen]

I have a file server that had two drives, one for the OS, and one for the file share. After a OS crash, I reformatted the drive, and reinstalled the OS. That was about six months ago, no big deal, but now I get a call from a user who can't access his documents. I look at the files on the file server and they are labeled as encrypted with zero file sizes. I restore from our oldest backup, but the restored files are identical (we overwrite backups after 6 weeks). The user tells me he has not been able to access his documents for months (and apparently just now got around to saying something).

Luckily I did pop the original system drive into another machine and made a backup through ntbackup (into a .bkf file). So my question is: can I somehow decrypt those files using info from the .bkf I made? I tried restoring the .bkf to a computer and open the files, but no dice.

 

[kylebubp]

Ah, there is a group that you can assign yourself to that can decrypt encryted files. One of those permissions things. I'll look it up.

 

[Brazen]

Do you mean after booting to the restored OS? I went ahead and tried adding the administrator to the backup and replicator groups and tried again, but that did not work. My guess is that the encryption key did not get restored. Maybe I can manually get the encryption key off the old backup and apply it to the system, but I don't know.

 

[Brazen]

Well, actually, the OS said it was decrypting the files when I uncheck the encrypt attribute and applyed the settings, but the they files are still blank. Mabye they weren't really encrypted? Maybe they were, in fact, corrupted. I thought it odd to only happen to a single users documents though, and every document in his directory.

Oh well, I'm not too worried about it, it's his own fault for waiting six months to tell me about this, the way I see it.

 

[stash]

If you didn't export the distaster recovery agent's key before you blew the OS away, you are out of luck.

If you have a working backup of the entire system (C: drive, system state) from before you nuked it, you should be able to get that key. The key is protected with that user's password. So if you restored the old system to another machine, log in as the DRA (usually administrator), and you should be able to access and export the key from the certificates MMC.

 

[scottws]

I have a question... If I went to Internet Explorer | Internet Options | Content | Certificates and then exported my user account certificate used to encrypt a bunch of files and then later my hard drive dies. I reinstall and restore a backup I have of My Documents (which is encrypted), can I then import that certificate and be all good?

Or does it have to be the disaster recovery agent's key? I tried to backup the disaster recovery agent's key once, but I use WinXP Pro in workgroup mode, and there is no default recovery agent.

 

[stash]

Yes, as long as you remember to select the option to export the private key and choose the certificate that is use for EFS. If you don't export the private key and just the cert, all you have is the public key and not the private key. You need both, so remember to check the box.

DRA keys are just additional keys that can decrypt the data if the user loses their key. There is no DRA by default on a non domain joined XP box, so you need to export your user account's EFS key.

 

[scottws]

Originally posted by: STaSh
Yes, as long as you remember to select the option to export the private key and choose the certificate that is use for EFS. If you don't export the private key and just the cert, all you have is the public key and not the private key. You need both, so remember to check the box.

Yes, I checked and I did do that.

DRA keys are just additional keys that can decrypt the data if the user loses their key. There is no DRA by default on a non domain joined XP box, so you need to export your user account's EFS key.

Thanks!

 

[stash]

Oh and related to the other thread on EFS, don't forget the password that you set when you export the key!