If you use NTFS Encryption, read this

[AndyHui]

Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.

And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".

Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.

"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".

NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.

Fortunately, there is a way to get access to your files.

If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next time you forget to decrypt them before formatting/reinstalling.

Please read the FAQ: .How to use EFS and back up your Private Key.

If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW

 

[NuclearFusi0n]

Good Post! Thanks.

 

[THUGSROOK]

encryptions and passwords will eventually only do one thing ~

they will lock you out of your system & files.

 

[NogginBoink]

Ah, this sticky is back.

My private key happens to be backed up to a floppy in my parent's safety deposit box.

 

[CTho9305]

Originally posted by: NogginBoink
Ah, this sticky is back.

My private key happens to be backed up to a floppy in my parent's safety deposit box.

I would have burned it on a CD... I've had much better luck with CDs than floppies.

 

[NuclearFusi0n]

High quality CD-Rs are many times more reliable than floppy disks.

 

[Amorphus]

Originally posted by: NuclearFusi0n
High quality CD-Rs are many times more reliable than floppy disks.

burn at 1x. no risks taken.

 

[TheVrolok]

Great post, thanks.

 

[newbiepcuser]

If I create Microsoft Certificate Authority, and issue the private key to the user for encyrption of files. Can that private key be regenerated for the user?

 

[jhu]

is it possible to brute force the public key?

 

[stash]

Its possible to brute force anything given enough computing power and time

 

[MainFramed]

wow, thanks . that seriously helps

 

[beatle]

Originally posted by: jhu
is it possible to brute force the public key?

If brute force doesn't work, you're not using enough of it!

 

[kg4dsx]

I know the pain of encryption....and lost data. I encrypted my data, but my system died and I had to reinstall, so I lost everything. I now have a backup of the Private Key burned to cd and put away in a safe place.

 

[ferrarifreak93]

Windows only encrypts files if I check the "Encrypt Contents To Secure Data" option right? I want to use NTFS but I don't want my files to be encrypted automatically.

 

[goblue420]

Originally posted by: AndyHui
Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.

And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".

Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.

"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".

NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.

Fortunately, there is a way to get access to your files.

If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next tmie you forget to decrypt them before formatting/reinstalling.

Please read the FAQ:How to use EFS and backup your Private Key.

If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW.

dude.....u can just claim ownership on the folder, ive done it b4

 

[stash]

Ownership is just an NTFS permissions attribute. It has absolutely nothing to do with encryption. When you encrypt something, the only way to access it again is to decrypt it with the corresponding key. If you don't have the key, you will never be able to read the file, unless you are willing to wait more years than you will live to brute force it.

There is no work around, and this is not a bug. EFS encypts file using PKI. A file is encrypted with a file encrypting key (FEK). The user's public key is then used to encypt the FEK. If a recovery agent is specified, the FEK is also encypted with that. Therefore, it is mathematically impossible for anything other than the user's private key or the recovery agent's private key to decrypt the FEK. If you can't decypt the FEK, you can't decrypt the file. The probability of brute forcing a 128-bit key in a lifetime is so small that it is impractical to even attempt it.

So to repeat, taking ownership will not decrypt an encrypted file! The only thing taking ownership will do is allow you to assign permissions to a file that you can no longer access.

 

[CTho9305]

 

[AndyHui]

goblue420: taking ownership has nothing to do with file encryption. You cannot take ownership of files that have been encrypted; the files that you took ownership of were not using the EFS feature of NTFS.

 

[Mrburns2007]

[sarcasm] Wow, they figured out encryption cause it was so difficult and nobody else had. [/sarcasm]

 

[Mrburns2007]

Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ?

How do I add one ?

 

[blcjr]

Originally posted by: Mrburns2007
Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ?

How do I add one ?

The administrator should be the default recovery agent. You can confirm that this is so by opening the "Local Security Policy" management console (in Administrative tools), select Public Key Policies --> Encrypted Data Recovery Agents, and you should see "Administrator" there.

As for adding one, you need to add certificate services first, which you can do through the control panel Add/Remove Software --> Windows Components dialog.

 

[stash]

The administrator should be the default recovery agent

This depends on the OS. For Windows 2000 this is true...for XP, it is not. There is no default recovery agent for an XP box in a workgroup.

For both Windows 2000 and XP Pro, the domain administrator is the default recovery agent if the machine is a member of a domain.

 

[Mrburns2007]

Originally posted by: blcjr

Originally posted by: Mrburns2007 Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ? How do I add one ?

The administrator should be the default recovery agent. You can confirm that this is so by opening the "Local Security Policy" management console (in Administrative tools), select Public Key Policies --> Encrypted Data Recovery Agents, and you should see "Administrator" there. As for adding one, you need to add certificate services first, which you can do through the control panel Add/Remove Software --> Windows Components dialog.

No Recovery agent isn't installed and "update root certificates" is already installed. So how do I add a revovery agent ?

 

[Mrburns2007]

Find better info in this thread about how to install a certificate on a stand alone machine: http://forums.anandtech.com/messageview.cfm?catid=34&threadid=1169496