If you use NTFS Encryption, read this

AndyHui

Administrator Emeritus<br>Elite Member<br>AT FAQ M
Oct 9, 1999
13,141
17
81
Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.

And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".

Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.

"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".

NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.

Fortunately, there is a way to get access to your files.

If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next time you forget to decrypt them before formatting/reinstalling.

Please read the FAQ: .How to use EFS and back up your Private Key.

If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW
 

THUGSROOK

Elite Member
Feb 3, 2001
11,847
0
0
encryptions and passwords will eventually only do one thing ~

they will lock you out of your system & files.

:p
 

NogginBoink

Diamond Member
Feb 17, 2002
5,322
0
0
Ah, this sticky is back. :)

My private key happens to be backed up to a floppy in my parent's safety deposit box.
 

CTho9305

Elite Member
Jul 26, 2000
9,214
1
81
Originally posted by: NogginBoink
Ah, this sticky is back. :)

My private key happens to be backed up to a floppy in my parent's safety deposit box.

I would have burned it on a CD... I've had much better luck with CDs than floppies.
 

newbiepcuser

Diamond Member
Jan 1, 2001
4,474
0
0
If I create Microsoft Certificate Authority, and issue the private key to the user for encyrption of files. Can that private key be regenerated for the user?
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Its possible to brute force anything given enough computing power and time
 

kg4dsx

Junior Member
Oct 3, 2003
8
0
0
I know the pain of encryption....and lost data. I encrypted my data, but my system died and I had to reinstall, so I lost everything. I now have a backup of the Private Key burned to cd and put away in a safe place.
 

ferrarifreak93

Senior member
Feb 21, 2003
339
0
0
Windows only encrypts files if I check the "Encrypt Contents To Secure Data" option right? I want to use NTFS but I don't want my files to be encrypted automatically.
 

goblue420

Senior member
Aug 29, 2003
478
0
0
Originally posted by: AndyHui
Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.

And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".

Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.

"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".

NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.

Fortunately, there is a way to get access to your files.

If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next tmie you forget to decrypt them before formatting/reinstalling.

Please read the FAQ:How to use EFS and backup your Private Key.

If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW.



dude.....u can just claim ownership on the folder, ive done it b4
 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Ownership is just an NTFS permissions attribute. It has absolutely nothing to do with encryption. When you encrypt something, the only way to access it again is to decrypt it with the corresponding key. If you don't have the key, you will never be able to read the file, unless you are willing to wait more years than you will live to brute force it.

There is no work around, and this is not a bug. EFS encypts file using PKI. A file is encrypted with a file encrypting key (FEK). The user's public key is then used to encypt the FEK. If a recovery agent is specified, the FEK is also encypted with that. Therefore, it is mathematically impossible for anything other than the user's private key or the recovery agent's private key to decrypt the FEK. If you can't decypt the FEK, you can't decrypt the file. The probability of brute forcing a 128-bit key in a lifetime is so small that it is impractical to even attempt it.

So to repeat, taking ownership will not decrypt an encrypted file! The only thing taking ownership will do is allow you to assign permissions to a file that you can no longer access.
 

AndyHui

Administrator Emeritus<br>Elite Member<br>AT FAQ M
Oct 9, 1999
13,141
17
81
goblue420: taking ownership has nothing to do with file encryption. You cannot take ownership of files that have been encrypted; the files that you took ownership of were not using the EFS feature of NTFS.
 

Mrburns2007

Platinum Member
Jun 14, 2001
2,595
0
0
[sarcasm] Wow, they figured out encryption cause it was so difficult and nobody else had. [/sarcasm]

 

Mrburns2007

Platinum Member
Jun 14, 2001
2,595
0
0
Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ?

How do I add one ?
 

blcjr

Golden Member
Oct 28, 1999
1,010
0
0
Originally posted by: Mrburns2007
Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ?

How do I add one ?

The administrator should be the default recovery agent. You can confirm that this is so by opening the "Local Security Policy" management console (in Administrative tools), select Public Key Policies --> Encrypted Data Recovery Agents, and you should see "Administrator" there.

As for adding one, you need to add certificate services first, which you can do through the control panel Add/Remove Software --> Windows Components dialog.

 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
The administrator should be the default recovery agent

This depends on the OS. For Windows 2000 this is true...for XP, it is not. There is no default recovery agent for an XP box in a workgroup.

For both Windows 2000 and XP Pro, the domain administrator is the default recovery agent if the machine is a member of a domain.
 

Mrburns2007

Platinum Member
Jun 14, 2001
2,595
0
0
Originally posted by: blcjr
Originally posted by: Mrburns2007 Problem: I don't have a .cer so I can't add a recovery agent, there aren't any users even the admistrator ? How do I add one ?
The administrator should be the default recovery agent. You can confirm that this is so by opening the "Local Security Policy" management console (in Administrative tools), select Public Key Policies --> Encrypted Data Recovery Agents, and you should see "Administrator" there. As for adding one, you need to add certificate services first, which you can do through the control panel Add/Remove Software --> Windows Components dialog.

No Recovery agent isn't installed and "update root certificates" is already installed. So how do I add a revovery agent ?