My guess is that it is seeing the public key from the certificate thumbprint and reading your user info from there. The error code when attempting to add the user is that it wants the private key (certificate) not the public one to add. I haven't verified the error code, but I think that is what is happening.
Adul
Elite Member
my question exactly.
And there is no way to recover those files without the key. This has happen to a few others as well. Consider it a very hard lesson learned
Do some forensics work on the old hard drive. There are plenty of threads around the forum that offer suggestions for software to use (get data back or something maybe?). You might be able to find your encryption key there, even though it's been reformatted.
Probably the most over looked part of backups is testing them.
Why use encryption if you don't bother to use a password?
Probably the most over looked part of backups is testing them.
Why use encryption if you don't bother to use a password?
Originally posted by: n0cmonkey
Probably the most over looked part of backups is testing them.
How true, how true. At home, whenever I do a reinstall of Windows, I always use a different harddrive for the new install. I keep the old drive intact for a few weeks to ensure that everything is working before erasing the old drive.
At work, when upgrading computers, we don't reuse the old computer for a week. As long as the EU says everything is working fine, then we will cascade the old computer to another user.
well, it has been stickied on top of the OS forum since august last year, so if you'd happen to enter that one, and remembered that you use NTFS encryption you'd read it, anyways, this discussion point is moot, if you cant get yer private key your data is more gone than if you would have done a format.
See the FAQ here.
In particular the section: Backing up your EFS Private Key
The *only* way to be sure you are getting your data back is if you had backed up your encryption recovery certificate using the above method.
If you did not make a copy of the recovery certificate, then your data is gone and is essentially unrecoverable. Thumbprints and copies of the certificate without the private key are a waste of time and will not help with recovery. Copies of the user encryption certificate are also unhelpful, because they are tied to a specific windows installation, and are unusable on a new installation.
However, some 3rd party tools *may* be able to help you if you have the user certificate backed up. 'Advanced EFS Data recovery' by Elcomsoft claims to be able to help. I have no experience with this product so cannot make a recommendation.
If the data is of exceptional value, then you should contact a professional data recovery company for advice as it may be possible to recover the key from the old HD. This is not a guaranteed option, not a cheap one (likely to cost many thousands of $).
In particular the section: Backing up your EFS Private Key
The *only* way to be sure you are getting your data back is if you had backed up your encryption recovery certificate using the above method.
If you did not make a copy of the recovery certificate, then your data is gone and is essentially unrecoverable. Thumbprints and copies of the certificate without the private key are a waste of time and will not help with recovery. Copies of the user encryption certificate are also unhelpful, because they are tied to a specific windows installation, and are unusable on a new installation.
However, some 3rd party tools *may* be able to help you if you have the user certificate backed up. 'Advanced EFS Data recovery' by Elcomsoft claims to be able to help. I have no experience with this product so cannot make a recommendation.
If the data is of exceptional value, then you should contact a professional data recovery company for advice as it may be possible to recover the key from the old HD. This is not a guaranteed option, not a cheap one (likely to cost many thousands of $).
HeroOfPellinor
Lifer
- Dec 27, 2001
- 11,272
- 1
- 0
Considering it took ~1800 days to break RC5-64 for the distributed.net project, breaking EFS encryption would probably take decades.
IIRC XP uses AES-256 by default, or is that 3DES?
Either way, it would take a crapload of time, even factoring in the increase in computational power with time.
One thing I was wondering is this:
OK, so all your files are encryped on the harddrive.
However somewere in your registry or hidden in some system file is the master key for your encryption. So the system has to have some way to access the harddrive to get the master key before it can go about decrypting the files.
So if somebody steals your harddrive or hacks your system, how does this encryption protect your files?
Won't the "enemy" just rape the system and take the master key and then use that decrypt your sensitive files.
I mean the system itself has to have access to a unecrypted form of the master key, so then somebody who has physical control over your system then has access to your master key too, don't they? All they have to do is find out were the stupid thing is stored on your system, it will be in a predicable place because the OS has to know were it's at.
So how does this work better then just setting access permissions?
Can EFS be set up over a remote share or something?
OK, so all your files are encryped on the harddrive.
However somewere in your registry or hidden in some system file is the master key for your encryption. So the system has to have some way to access the harddrive to get the master key before it can go about decrypting the files.
So if somebody steals your harddrive or hacks your system, how does this encryption protect your files?
Won't the "enemy" just rape the system and take the master key and then use that decrypt your sensitive files.
I mean the system itself has to have access to a unecrypted form of the master key, so then somebody who has physical control over your system then has access to your master key too, don't they? All they have to do is find out were the stupid thing is stored on your system, it will be in a predicable place because the OS has to know were it's at.
So how does this work better then just setting access permissions?
Can EFS be set up over a remote share or something?
The keys are stored on the HD, in an encrypted form. The keys to the keys are based on a variety of information which windows has to hand, including the user's log-on password.
There are a couple of utilities that can retrieve EFS files, but they require that the certificates are still somewhere on the HD, and that you know the password for the user whose files you are trying to retrieve. This is useless after a reformat, but if the user's home directory (under Documents and Settings) is still intact (e.g. after a reinstall of a corrupted installation), then it is possible to retrieve the keys.
And just in case you were thinking of simply retrieving the passwords from the HD:
For security the passwords are not stored on the HD (encrypted or otherwise) only a 'thumbprint' of the password is - it's easy to make a thumbprint from the password, but very hard to get the password from the thumbprint. If you want to get the password from the 'thumbprint' the only practical way is to try password after password until the thumbprints match. There are programs that can do this, but if your password is something like G94tgsd=@;l1UG£ then they really don't have a chance of ever finding it.
This is one of the funniest things I've read all day.
Classic user: I'll encrypt files that require no password to decrypt. Hey, I just like wasting clock cycles!Oh, they will definately have a chance of getting that. A very good chance.
A easy password is easy because it can be cracked in seconds. But if they have access to the password file it's easy. A password like that may take a few minutes to crack on a fast machine, and a difficult password may take a day.
The difference between a good and a bad password is just time.
Unix has been doing hashing for years and years.
For example on my system if I used "anandtech" as a password it ends up being stored as
$1$HzxlsZ0z$TOHB3JhRsJVM392V5Fy.M0
The keys to the keys? What keys your talking about. You have public keys and private (or master) keys.
Are you telling me that the master key is generated everytime and isn't stored anywere? Because the public keys are accessable by everybody and that's their purpose.
And if the master key is generated everytime it's used, how is it the same everytime? Is it based on hardware stuff combined with passwords and if you move the system harddrive to another computer it then would be different?
Just trying to understand what you mean.
Let's try this with your hard drive. Encrypt everything, but don't back it up. Log in as admin, and reset your password.
*POOF* no more data. It explicitly warns the admin about losing data when resetting a password.
The private key is dynamically generated when you log on to protect your files.
EFS might not be very secure when you want to know every time a file is encrypted or decrypted, but every "on-the-fly" encryption schemes have this dilemna. But EFS isn't so insecure as to allow a reset password to automatically decrypt files.
I am not sure, but I think these thumbprints are the FEK of the file and can't be recovered unless YOU HAVE THE KEY. I believe the FEK is the symmetric password, and your private certificate is your private asymmetrical password. The FEK might be there, but it is encrypted...
On the positive side, though, there is a small, small, small chance that your certificate, or at least your older computer's GUID, is still there on the old HD. Since you already know the original password, there is a chance you can recover your files. But otherwise,
don't trash Microsoft for making their system work half-way well.
EFS might not be very secure when you want to know every time a file is encrypted or decrypted, but every "on-the-fly" encryption schemes have this dilemna. But EFS isn't so insecure as to allow a reset password to automatically decrypt files.
I am not sure, but I think these thumbprints are the FEK of the file and can't be recovered unless YOU HAVE THE KEY. I believe the FEK is the symmetric password, and your private certificate is your private asymmetrical password. The FEK might be there, but it is encrypted...
On the positive side, though, there is a small, small, small chance that your certificate, or at least your older computer's GUID, is still there on the old HD. Since you already know the original password, there is a chance you can recover your files. But otherwise,
don't trash Microsoft for making their system work half-way well.
I don't know who or what M$ is, but lets assume you are ranting about Microsoft. There are volumes of documentation on our website and on your PC about this very topic. This is the reason why we have recovery agents. There are numerous documents, help files, even forums like this that tell you that you must backup the private key.
Why would you expect encryption to have some kind of back door "some trick to be able to view these files"? Then why did you encrypt it? Please tell me what the point of a encryption scheme with a backdoor would be?
Encryption comes down to some pretty basic math. At a very basic level, you have two keys. Your data is encrypted with one key and can decrpyted only by the other key. You cannot discover what one key is by using the other. Bottom line, if you do not have the key that can decrypt the data that was encrypted by the other key, you aren't getting that data. Unless you want to brute force it. Any encryption can be brute forced. But the idea behind encryption is how long would it take to brute force a key, and would it would be worth it to someone to devote that much time to it?
But dont blame us for your mistake. Sorry, but this one's on you. Time to stop ranting, take responsibility for your data, and move on.
I'm not sure. Logic would dictate that encrypting something would be harder for any hackers to see. It was there, so I though I'd use it.
Actually, logic would dictate that if you can get to the data with zero restrictions, no password, no authentication of any type, then anyone can get at it. Windows also has a nice feature to enable file and printer sharing, but just because it's there doesn't mean it should be used without caution or actual knowledge of said feature.
It WAS tested. It behaved as it should just like any other folder on the other PC so the backup was good. Little did I know that would NOT be the case on my new PC. I tried a "restore" type of program that is supposed to get files back after they have been deleted from the Recycle Bin, but that didn't work. As you know, the data IS still there on the old HD that was formatted, only the references to it have been removed. There is software out there that can reclaim pre-formatted data from a HD but it probably costs a thousand bucks. If I can find that software (and a "code" for it) or a free trial, that may work. From what I understand, I don't need "My Documents", I only need the encryption key from the other HD.Originally posted by: n0cmonkey
Do some forensics work on the old hard drive. There are plenty of threads around the forum that offer suggestions for software to use (get data back or something maybe?). You might be able to find your encryption key there, even though it's been reformatted.
Probably the most over looked part of backups is testing them.
I'm trashing M$ for their BACKWARDS logic. Like I said, you can't even inhale and exhale on a Windows PC without getting "prompted into infinity" and for meaningless things, compared to the data loss that can occur with encryption.
What the hell is your problem??? Who the hell is blaming YOU?????? If you have nothing to add regarding help, then your post is waste of bandwidth. I posted this here asking for HELP, NOT for wise ass comments.
FYI, what makes you think nothing can be cracked and everything is secure????? There is a crack to EVERYTHING, it's just a matter of finding it! EVERYTHING has a back door. All the "volumes of information" you speak of are meaningless AFTER THE FACT. Not many make a habit of visiting forums regarding "privacy keys". ONCE AGAIN; IF THERE IS DANGER OF THIS HAPPENING, AND IT OBVIOUSLY DID, then WHY DOESN'T M$ put yet another one of their PopUp comments THAT IS ACTUALLY USEFUL for a change, stating: "WARNING, YOU WILL NOT BE ABLE TO DECRYPT THESE FILES ON ANOTHER PC WITHOUT SAVING THE ENCRYPTION KEY". NOTHING is said about that. There is no warning info on encryption before you try to encrypt something the way there is before you run just about everything else on Windows. For example: when you dump the damn Recycle Bin there is warning that the data will be deleted. DUUUUHHHHHHHHHH. It's the friggin' Recycle Bin, if you dump it, it's GONE. Yet they place another one of their warnings there for something as obvious as that, yet leave anything regarding encryption WIDE OPEN.
I really appreciate the replies of those that have tried to HELP. If anyone has nothing to add regarding HELP on how to decrypt my "My Documents" files, then kindly refrain from condescending comments. Thank you. "Woulda, shoulda, coulda, why," etc., is irrelevant. What's done IS DONE. I ask for help/info on getting back "My Documents".
Thank you again.
IMO, "file and printer sharing" is self-explanatory. There is no password area for encryption, you just right click and "encrypt", and it's done....according to what you see or lack thereof.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter