Cannot decrypt my backed up encrypted files

[NogginBoink]

There is lots of misinformation in this thread!

Okay, let me run down some things here...

Computer: there is no back door in EFS. There are two possible ways of recovering your data: recover the EFS certificate that was originally used to encrypt the files, or do a brute force attack against the entire keyspace. A brute force attack is what they call "computationally infeasible" and would likely take thousands, if not millions, of years to complete. Therefore, your only hope is to recover the original EFS certificate.

The EFS certificate on a machine that is part of a workgroup is automatically created by the operating system when a user first encrypts a file. I am not certain, but I believe the certificate is stored in c:\documents and settings\username\application data\microsoft\crypto\RSA. If you can get to that folder on the original hard drive, stop immediately and call a reputable data recovery shop. You probably stand an excellent chance of getting your data back.

I do not know if the files and settings transfer wizard backs up this data. You can try to find out. I'm launching WinXP now to look... unfortunately, it does not appear to do so.

How EFS Works: This is misunderstood by many here. Let's say I encrypt a file. When I do, the system generates a random number, known as the File Encryption Key (FEK), and encrypts the file with the FEK. The FEK is then encrypted with the user's public key from his EFS certificate. The encrypted FEK is stored with the encrypted file. Edit: The FEK is unique to each file. A new FEK is randomly generated for each encrypted file. So finding the FEK for one file does not allow you to decrypt any other file.

To decrypt the file, the user's private key from the user's EFS certificate must be used to decrypt the FEK, and the FEK is used to decrypt the contents of the file.

The EFS certificate is stored on the local machine, but the user's password must be used to decrypt the certificate itself. This is why an admin resetting a user's password is not sufficient to recover EFS data. EDIT: This is how all of those "break EFS" utilities work: they attack the user's password to recover the user's EFS cert. Since, in this case, the cert that was used to encrypt the files was never present on the hard drives on which the files reside, these utilities won't work in this situation.

The FEK can be encrypted with many users' public keys so that many users can decrypt the file. This is how recovery agents (if configured) work.

Computer, I agree that the UI should warn you about possible ramifications when encrypting your files. However, we can't do much about that now. The only way out for you is to recover your EFS cert from the old hard drive. Period.

 

[NogginBoink]

Originally posted by: vcarpio2

Originally posted by: computer

As for using Active File Recovery, that's all I do, right-click on the file then copy to a new location. I am not prompted for any password or anything.

Neither am I, but are you doing this with ENCRYPTED files from ANOTHER PC and you're still able to open them?

It's from the same PC -- but with a new motherboard and processor so for most intents and purposes, it's a brand-new PC.

No, it's not.

It's on the same hard drive. Also on that hard drive is the cert that was used to encrypt the files. This is what that tool is attacking. Computer's computer doesn't have the original cert on it.

 

[Woodie]

Note: This post will not be at all helpful to the OP!

Originally posted by: NogginBoink
Computer: there is no back door in EFS. There are two possible ways of recovering your data: recover the EFS certificate that was originally used to encrypt the files, or do a brute force attack against the entire keyspace. ...<snip>... your only hope is to recover the original EFS certificate.

I beg to differ, the "back door" that's architected into EFS is the Recovery Agent. Encrypted File Recovery Agent is defined in the Local Security Policy and the Default Domain Policy by default. (Local\Administrator and DOMAIN\Administrator respectively, as mentioned above)

Originally posted by: NogginBoink
To decrypt the file, the user's private key from the user's EFS certificate must be used to decrypt the FEK, and the FEK is used to decrypt the contents of the file.

Technical nit-picking😱: To decrypt the file, the private key of ANY certificate that was used to encrypt the FEK must be used to decrypt the FEK, etc...

 

[stash]

Originally posted by: Woodie
Note: This post will not be at all helpful to the OP!

Originally posted by: NogginBoink
Computer: there is no back door in EFS. There are two possible ways of recovering your data: recover the EFS certificate that was originally used to encrypt the files, or do a brute force attack against the entire keyspace. ...<snip>... your only hope is to recover the original EFS certificate.

I beg to differ, the "back door" that's architected into EFS is the Recovery Agent. Encrypted File Recovery Agent is defined in the Local Security Policy and the Default Domain Policy by default. (Local\Administrator and DOMAIN\Administrator respectively, as mentioned above)

There is no default recovery agent on a standalone XP box. This is different compared to 2000, where yes, local\administrator was the DRA. Not so in XP, you need to configure one yourself. The domain\administator is still the default DRA if the XP machine is a member of a domain.

 

[Woodie]

Originally posted by: STaSh
There is no default recovery agent on a standalone XP box. This is different compared to 2000, where yes, local\administrator was the DRA. Not so in XP, you need to configure one yourself. The domain\administator is still the default DRA if the XP machine is a member of a domain.

Arrgh! What's the point of no recovery agent? (Just a rhetorical question, I don't really want to know/think about it! 😉)
Correction accepted, I did the original research under W2K and ASSUMED that part hadn't changed in XP. Besides, all the clients I care about are in a domain. 🙂

 

[Fiveohhh]

Originally posted by: Woodie

Originally posted by: STaSh
There is no default recovery agent on a standalone XP box. This is different compared to 2000, where yes, local\administrator was the DRA. Not so in XP, you need to configure one yourself. The domain\administator is still the default DRA if the XP machine is a member of a domain.

Arrgh! What's the point of no recovery agent? (Just a rhetorical question, I don't really want to know/think about it! 😉)
Correction accepted, I did the original research under W2K and ASSUMED that part hadn't changed in XP. Besides, all the clients I care about are in a domain. 🙂

Probably security reasons I'm guessing

 

[stash]

This is going back a ways on this thread, but someone mentioned that EFS uses the 3DES algorithm. Windows 2000 used 3DES, but XP uses AES.

 

[computer]

Originally posted by: Fiveohhh

Originally posted by: computer

Its been said many times you need the key, but you keep insisting theres a backdoor. That being said I'd get the old HD and use something like the r studio on it and hope you can get it back or if its very important, send it off to a professional data recovery service

There is a backdoor, EVERYTHING has a back door, or more accurately a way to circumvent it.

Not everything has a backdoor. Why do you insist this when you know very little about encryption? I'm not trying to sound harsh, but your not taking no for an answer. Theres a sticky on the top of the forums saying its impossible, other members have told you its impossible, and Microsoft says its impossible. Unless you have the private key or a way to brute force it, it's not gonna happen. I don't know much about encryption, but I don't see what good it would do if it had a backdoor.

Sure, I can easily take "no" for an answer. But to say that something is totally secure and invulnerable is short-sighted and naive. You're right, I don't know anything about encryption, but I DO KNOW about computers and the human race, and with computers NOTHING is impossible and you should know that. It's just a matter of time and common sense. Of course M$ is going to say it's impossible, do you expect them to disclose how to circumvent their own product?? Hell no. You can be damn sure that they DO KNOW HOW to do it though. NO ONE invents any type of encryption or security for that matter, without knowing how to also crack it. I can also assure you if someone sent an NTFS encrypted HD to the CIA or DoD, you don't think it would be almost child's play for them to view the files?

 

[computer]

Originally posted by: vcarpio2

Originally posted by: computer

As for using Active File Recovery, that's all I do, right-click on the file then copy to a new location. I am not prompted for any password or anything.

Neither am I, but are you doing this with ENCRYPTED files from ANOTHER PC and you're still able to open them?

It's from the same PC -- but with a new motherboard and processor so for most intents and purposes, it's a brand-new PC.

Has the HD been reformatted?

 

[computer]

Originally posted by: NogginBoink
There is lots of misinformation in this thread!

I do not know if the files and settings transfer wizard backs up this data. You can try to find out. I'm launching WinXP now to look... unfortunately, it does not appear to do so.

........... There are two possible ways of recovering your data: recover the EFS certificate that was originally used to encrypt the files, or do a brute force attack against the entire keyspace. A brute force attack is what they call "computationally infeasible" and would likely take thousands, if not millions, of years to complete. Therefore, your only hope is to recover the original EFS certificate.

The EFS certificate is stored on the local machine, but the user's password must be used to decrypt the certificate itself. This is why an admin resetting a user's password is not sufficient to recover EFS data. EDIT: This is how all of those "break EFS" utilities work: they attack the user's password to recover the user's EFS cert. Since, in this case, the cert that was used to encrypt the files was never present on the hard drives on which the files reside, these utilities won't work in this situation.

No, the Files and Settings Transfer Wizard didn't work, I tried it. :disgust:

So what if no password was ever used?

How does one go about a "brute force attack"? It could take a very long infeasible lenght of time, but one can also get lucky and get the needed info in a matter of days. It's just a matter of how lucky the process may be....or may not be.

 

[Fiveohhh]

Sure, I can easily take "no" for an answer. But to say that something is totally secure and invulnerable is short-sighted and naive. You're right, I don't know anything about encryption, but I DO KNOW about computers and the human race, and with computers NOTHING is impossible and you should know that.

Its not totally secure if someone gets access to your private key or can brute force it they can decrypt it

It's just a matter of time and common sense. Of course M$ is going to say it's impossible, do you expect them to disclose how to circumvent their own product?? Hell no. You can be damn sure that they DO KNOW HOW to do it though. NO ONE invents any type of encryption or security for that matter, without knowing how to also crack it.

Why would they make a way to make their own product obsolete.

I can also assure you if someone sent an NTFS encrypted HD to the CIA or DoD, you don't think it would be almost child's play for them to view the files?

I have no idea.


Again I don't know jack about encryption. I'm going off what MS and the sticky post and all the other members in this thread that say its not possible w/o the DRA key from the original machine, the original key that encrypted it or brute force it.

 

[computer]

Originally posted by: Fiveohhh

It's just a matter of time and common sense. Of course M$ is going to say it's impossible, do you expect them to disclose how to circumvent their own product?? Hell no. You can be damn sure that they DO KNOW HOW to do it though. NO ONE invents any type of encryption or security for that matter, without knowing how to also crack it.

Why would they make a way to make their own product obsolete.

Hee hee. They've been doing it for years. 🙂

 

[stash]

This thread is getting pointless. No offense, but you need to stop complaining and start working on the only real option available to you: trying to recover the key from the old hard drive.

 

[computer]

Originally posted by: STaSh
This thread is getting pointless. No offense, but you need to stop complaining and start working on the only real option available to you: trying to recover the key from the old hard drive.

NO OFFENSE??? YES offense taken!! No "offense" either.....What the hell is your problem jerk?? You seem hell bent on bashing my ass every opportunity you get! If you don't like the thread then GET LOST! A person can't inquire about something without you calling it "complaining"???????? Obviously not!!! FYI, the purpose of these forums is for persons to post things of which they do not know the answer to or of which they need help with!! It's NOT to get ridiculed and have to put up with the likes of you!!!! Again, if you don't like it, then LEAVE!! I don't recall sending you a "personal invitation" or FORCING YOU to this thread!! And also FYI, I AM "WORKING ON IT"!!!!!!!!!! If you don't have something constructive &amp; helpful to add, then your posts are nothing but harassment! Now go find another thread where you can harass the poster there!!!!

 

[computer]

If you lost about EIGHT YEARS of customer data, thousands of saved webpages that no longer exist, hundreds of Windows tweaks that can no longer be found, hundreds of motherboard manuals and other PC hardware manuals that no longer can be found, and hundreds of images of your Mom and Dad, my kittens, tame baby squirrels, macro photography, case mods, etc., etc., and dozens of other things, YOU would be trying all you could as well!

 

[stash]

Wow...

NO OFFENSE??? YES offense taken!! No "offense" either.....What the hell is your problem jerk?? You seem hell bent on bashing my ass every opportunity you get! If you don't like the thread then GET LOST! A person can't inquire about something without you calling it "complaining"???????? Obviously not!!!

Um, alright.

FYI, the purpose of these forums is for persons to post things of which they do not know the answer to or of which they need help with!!

I (along with others in this thread) have provided the answer. Either a) brute force the encrypted files or b) recover the key from the old hard drive. I gave this answer because I am trying to help you.

FYI, the purpose of these forums is for persons to post things of which they do not know the answer to or of which they need help with!!

Ridicule...?

Again, if you don't like it, then LEAVE!! I don't recall sending you a "personal invitation" or FORCING YOU to this thread!!

You're right, you didn't. I took it upon myself to offer you advice and try to help you with your situation.

f you don't have something constructive &amp; helpful to add, then your posts are nothing but harassment!

Harassment...?

I'm not trying to harass, ridicule or anything else. I am trying to help, but apparently I am not telling you what you want to hear.

 

[rbrandon]

Originally posted by: computer

Originally posted by: NogginBoink
There is lots of misinformation in this thread!

I do not know if the files and settings transfer wizard backs up this data. You can try to find out. I'm launching WinXP now to look... unfortunately, it does not appear to do so.

........... There are two possible ways of recovering your data: recover the EFS certificate that was originally used to encrypt the files, or do a brute force attack against the entire keyspace. A brute force attack is what they call "computationally infeasible" and would likely take thousands, if not millions, of years to complete. Therefore, your only hope is to recover the original EFS certificate.

The EFS certificate is stored on the local machine, but the user's password must be used to decrypt the certificate itself. This is why an admin resetting a user's password is not sufficient to recover EFS data. EDIT: This is how all of those "break EFS" utilities work: they attack the user's password to recover the user's EFS cert. Since, in this case, the cert that was used to encrypt the files was never present on the hard drives on which the files reside, these utilities won't work in this situation.

No, the Files and Settings Transfer Wizard didn't work, I tried it. :disgust:

So what if no password was ever used?

How does one go about a "brute force attack"? It could take a very long infeasible lenght of time, but one can also get lucky and get the needed info in a matter of days. It's just a matter of how lucky the process may be....or may not be.

By the time your key is brute forced, you won't be needing your data anymore because you'll be dead. Hell, so will I

 

[Psych]

Sun might burn out by then, too.
If I have the time, I could look into an EFS white paper and see if I can find out specifics on how to recreate the certificate. The password is null, so it shan't be too difficult... If you can recover the GUID of the old computer, it would be a great help.

 

[skyking]

I have seen whole text docs recovered from a three time formatted drive, so I would hold out hope that your original key can be gotten off old drive

 

[Farfrael]

Originally posted by: computer
You're right, I don't know anything about encryption,

I have been following this thread for some time and the only thing which comes to my mind is :
"Computer, you sir are a complete tool !"

Admit you did something stupid and start working on the only solution you have : getting the private key back. And for the love of us, stop posting that mindless drivel

Oh, something else, if you are stupid enough to use encryption on ALL your important files without even bothering to inform yourself about the way it works, you DESERVE what is happening to you

 

[NightCrawler]

Originally posted by: computer
If you lost about EIGHT YEARS of customer data, thousands of saved webpages that no longer exist, hundreds of Windows tweaks that can no longer be found, hundreds of motherboard manuals and other PC hardware manuals that no longer can be found, and hundreds of images of your Mom and Dad, my kittens, tame baby squirrels, macro photography, case mods, etc., etc., and dozens of other things, YOU would be trying all you could as well!

With Data that important I would be backing it up in triple and I would no bother with the encryption I would just lock the CD/DVD in a safe.

 

[vcarpio2]

Originally posted by: Woodie
vcarpio2
I think we're getting somewhere, thanks for the many posts w/ detailed information. 🙂

In Windows Explorer, do your encrypted files display in green text?
When you said you "encrypted the folder"...can you recall exactly how you did that? (steps/cipher comand?)
Could you look into your Certificates Store (see instructions earlier in the thread) and tell us if you have an Personal Certificates? If so, how many, and do they have "Encrypting File System" listed in the "Intended Purpose" field?

Against my better judgement, I'm beginning to wonder if you've found a way around the EFS protection.

I do remember the font's color in Explorer turning green when I encrypted the folder(s) a few weeks or months ago, but they're not green now, they're regular black.

Which instructions, the one that runs MMC? Just want to be sure before I click "Finished" because I'm not sure what it's going to do.

I downloaded and installed Advanced EFS Data Recovery which was posted by Southerner above. When I click "Scan for keys" it finds entries on all my partitions. But when I click "Scan for encrypted files" on the partition where I have my "secure" folders, it finds no encrypted files. In the "File Tree" tab, I can view the directory of my "secure" folders -- the filenames, sizes, dates -- but the "Decrypt" button is grayed out, maybe because it's a trial version.

The reason it's hard for me to recall what I did is I built 4 computers the past 2 or so months. I upgraded my daughter's BX chipset PC to P4 and I re-built 2 BX chipset PCs from spares so my guests can play Quake online. (My posts can be found in the other forums under "vcarpio" -- I have 2 accounts). I also remember installing XP on my PC twice one time because I wanted the first HD's partition to be C, D and the second HD's partitions to be E, F. But if both are connected when XP is installed, the first partitions of each HD becomes C, D. So I had to detach the second HD and reinstall XP all over again.

I may have re-done the XP install a couple of times to correct driver issues, web server problems. I almost always install XP a couple of times whenever I do to get it set up just the way I want it.

I would like to think that maybe I just made the folders private (Properties->Sharing->Make this folder private) instead of encrypting them. However, I do remember I wanted the stronger security of encryption because I read about it in a magazine article somewhere. Besides, would making a folder private then reinstalling XP prevent me from accessing the folder's contents?

I must have done something wrong that caused my files to be unencrypted and recoverable. There's almost always human error involved.

 

[vcarpio2]

Um, we all do stupid things and for all we know, Computer might have agonized over that one, too. But we learn from our stupid mistakes, and from others' stupid mistakes too. Just look at the information found in this thread. Besides, I kind of agree with the post that said something like we are all too familiar with Microsoft's buggy products (most especially on the subject of security I might add) and tend to ignore those "are you sure" prompts that for once when they do something right, we're caught off guard.

 

[BurningDog]

I did the same thing not too long ago (luckily it was just IRC logs that were lost). Yes, its extremely easy to do. However, I can say with 99.9% certainty that you're out of luck w/o recovering the key from the other machine.

It has nothing to do with "computers and the human race" and alot to do with mathematics.

"NO ONE invents any type of encryption or security for that matter, without knowing how to also crack it." <- you're right, they know how to crack it. They also know that trying to crack it wouldn't be possible in any reasonable amount of time. There isn't a chance in hell that microsoft would put in a universal key backdoor into their product. (as much of a joke as it sounds) Windows IS a corporate OS too.

 

[goblue420]

hugh jackman cracked 512 bit while getting his d!ck sucked....give him a call, maybe he can help you out......on a more serious note i dont think its possible i have a folder with around 30 pics that i encrypted and they like you i just backed up my docs to another hdd and ever since i formatted i cant access these pics anymore, ive tried quite a few things but have had no luck...dont think its possible, but now i know not to f with the encryption in winxp