Backing up EFS certificate without private key...

[InlineFive]

Hello everyone!

I am backing up my EFS certificates but I have run into a snag. The user accounts don't have passwords and thus don't have a private key to bind the certificate to. What happens if I try to restore the certificate without a private key? Should the user account change the the files become unreadable?

Thanks! And if you have any suggestions for reading on EFS please let me know.

I5

 

[stash]

Er, what? There is a private key, there has to be. It has nothing to do with the user's password. The user's password is what encrypts the Master Key, which in turn protects the EFS private key. But you can have a blank password, that's not a problem for EFS.

Just go into the user's certificate store using the mmc and export the private key. Do NOT check the box for strong key protection. To answer your question, if you export only the cert (which is the public key), the user will not be able to decrypt any files if that system were formatted or if he used another system. The certificate is not enough.

 

[InlineFive]

Okay, so how exactly do I export the private key or create a DRA? I have read the Microsoft manuals but I don't understand how to accomplish this.

 

[spyordie007]

http://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=tech

 

[InlineFive]

Originally posted by: spyordie007
http://support.microsoft.com/default.aspx?scid=kb;en-us;241201&sd=tech

Okay, here is the biggest problem. Microsoft always references certs under the Personal folder. But there is nothing in the personal folder, ever!

 

[spyordie007]

You sure you looking at the personal folder for your user account (as opposed to the computer account)?

 

[stash]

Make sure it is the personal store of the user who did the encryption.

 

[InlineFive]

D'oh! Found it! 🙂

Now this is the private key, correct? So if I export this cert along with the private key I will be good to go!

And why should I not check Strong encryption? Is that so I could back it up onto a Linux server? Or does it cause lots of problems in the long run?

 

[stash]

The cert represents the public key. When you export the cert, you are given the option of also exporting the private key, which is what you want to do (follow the steps in the article linked above).

For the strong key protection, I'm trying to get some clarification on that. Strong private key protection is not supported with EFS (it is clearly stated in the XP Help file), so the article is confusing.

 

[stash]

Ok, you can go ahead and check the strong protection box. That just protects the PFX container itself, not the EFS key inside. Enabling strong key protection on that EFS private key is what is not supported.

This is only a concern if you are creating your own certificate template on a CA for EFS. If you create a template, you must not enable strong key protection for it. The existing Basic EFS template does not enable strong key protection, and when there is no CA availalbe, the self-signed certificates that Windows generates do not have strong protection enabled.

 

[InlineFive]

Awesome, thanks for your help STaSh! 😀

I5