Re: NTFS File Encryption Question

From: Barry Watzman <WatzmanNOSPAM@xxxxxxxxxx>
Date: Tue, 12 Apr 2005 23:11:20 -0400

I hate it when I'm asking how to do something and then have to quarrel with someone who is trying to help, but there is a way to move EFS encrtypted files from one machine to another machine and still be able to read them. There are entire papers (which I've read) on how to recover encrypted files from backups of a destroyed computer or from backups of the computer of an employee who leaves the company. Unfortunately, they are not written in "novice english", but it's supposed to be possible to import the certificate and key and then be able to decrypt the file on another computer. And I'm sure that it is possible, but I'm clearly not doing it right.

[FWIW, I'm no computer novice, in fact in most regards I'm an "expert", but I've just never used encryption, keys and certificates before at the level required for this question.]

For anyone just joining: The question is, I have a USB 200 gig external hard drive on my desktop, I have EFS encrypted folders in an NTFS partiton on that drive. I need to be able to move that USB drive to my laptop and be able to access the EFS encrypted files on the laptop. Both machines are running XP Pro SP2. This is a residential environment, there is no domain. There is only one account (mine, administrator) on each machine. There is no explicitly designated "recovery agent". I have attempted to export the certificate and keys from the desktop and import them onto the laptop. It's this last step that I believe is what enables access, and which apparently I am doing incorrectly.

This is not a data loss / data recovery situation, I have full access to everything on the desktop. I'm merely trying to learn how to have files that are both encrypted and transportable to other machines because I want to put some files onto a very portable (almost too portable, if you get my drift) USB hard drive, and some of those files have very sensitive financial information in them.


NobodyMan wrote:

I am certainly no expert on EFS and the XP implementation, but I do
know it is tied to the SID of the user account in question.  I
strongly suspect that when you move the USB drive to the notebook,
then import the certificates, it won't decrypt them because the SIDs
on the two accounts don't match.  They can't and never will.
On Mon, 11 Apr 2005 20:31:28 -0400, Barry Watzman
<WatzmanNOSPAM@xxxxxxxxxx> wrote:
I just tried taking ownership, and it makes no difference. I clearly don't understand what is necessary to read an EFS encrytpted file on a USB external drive on a machine other than the one on which it was created.
I have a USB removeable hard drive with two partitions, one FAT and one NTFS. Being very concerned about the security of the files stored on this device, I turned on file encrytpion for many files and folders, and those files and folders are now shown as "green" entries, which I've never used before.
And I can read those files just fine on the computer on which I made them.
Now, however, I wanted to be able to read those with my laptop, so I thought I would export the encryption keys to a ".pfx" file, which I did and put on the FAT partition, protected with a password.

Now I put the USB drive on my notebook, and I click on the .pfx certificate file, and I "import" the certificate, telling it that I want a password to be required every time the certificate is used, and everything seems to go well.

But when I try to open up an encrypted document on this drive on my notebook, I am still denied access.

What do I need to do to be able to access these files on my laptop?
Try taking ownership of the files from your laptop computer while the
USB drive is attached.

References:
- NTFS File Encryption Question
  - From: Barry Watzman
- Re: NTFS File Encryption Question
  - From: CS
- Re: NTFS File Encryption Question
  - From: Barry Watzman
- Re: NTFS File Encryption Question
  - From: NobodyMan

Prev by Date: PLEASE HELP !! W32time
Next by Date: Re: System Checkpoint frequency
Previous by thread: Re: NTFS File Encryption Question
Next by thread: Re: NTFS File Encryption Question
Index(es):
- Date
- Thread

Relevant Pages

Re: Laptop Encryption
... keys, so they just don't know about it or do it. ... Subject: Laptop Encryption ... > can be encrypted with any encryption software. ... If the thief ...
(Focus-Microsoft)
RE: Laptop Encryption
... can be encrypted with any encryption software. ... Subject: Laptop Encryption ... login credentials and login as the user, the keys are then available and EFS ... If the thief doesn't ...
(Focus-Microsoft)
win 2000 file encyption
... I have setup an encrypted folders on a laptop running win2000. ... What I am concerned about is that both the encryption keys and the encrypted ...
(microsoft.public.win2000.security)
Re: Laptop Encryption
... The encryption in Windows 2000/XP is excellent. ... with it is that if somebody steals the laptop where it has been implemented, ... login credentials and login as the user, the keys are then available and EFS ... If the thief doesn't ...
(Focus-Microsoft)
Unable to access Encrypting File System despite knowing username/password
... This morning my WinXP SP2 laptop suddenly refused to boot and wouldn't ... it appears that I need the Encryption Certificate ... Certificate Key? ...
(microsoft.public.windowsxp.security_admin)