Re: Windows XP -- encrypt, decrypt -- I am in deep TROUBLE -- HELP

"PJSampson" <PJSampson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:70FD8DF8-390B-4531-8E1E-92B833AFAF41@xxxxxxxxxxxxxxxx
These are the kinds of issues, answers and suggestions I came here looking
for. Thanks for your reply.

You're welcome. It's important to read and understand all of the material
on EFS if you're going to use it successfully and safely.

Most of the time people post regarding EFS, it's a story without a happy
ending.

MS did a great job of making strong encryption available, but perhaps not so
great a job at making the implications and data-safety requirements and
practices clear. Worse, you don't *have* to back up the certificates as
part of the process. This means that encrypted data is instantly
vulnerable.

-pk

"Patrick Keenan" wrote:

"PJSampson" <PJSampson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:01A51072-9847-48FF-9C25-957408EF13CE@xxxxxxxxxxxxxxxx
Will is right, there is an issue here. He only changed his password
because
he was prompted to. Changing passwords every so often is a recommended
security feature. If he changed his password when prompted and it did
not
apply to the files or folders that he encrypted, there is indeed a
Microsoft
issue to be dealt with.

I'm just beginning to look into encrypted folders or entire drives and
am
trying to research issues like this so I'll know how to deal with it.

Changing the password from within the account should not affect encrypted
files, though it would be a good idea to re-export certificates. It's
the
only safe way to change the password.

Changing the password from *outside* the account (i.e, from users in
another
Admin acccount or a password removal tool) is pretty much guaranteed to
break access to encrypted files and folder.

I don't find any posts with this title and there are no references here,
so
I can't comment on the original, but when using EFS it is critical to
complete the job and export the certificates, *and test them*. Store
copies of the certificates offsite on non-decaying media.

HTH
-pk


One rebuke was enough - the other personal attacks seemed like piling
on
to
me.

"Will L" wrote:

Hmm... guys give that person a break! I think it is a genuine problem.
Nobody
seems to be addressing the real concern.







.

Relevant Pages

  • Re: decrypting files from XP - tough question
    ... EFS uses a hybrid asymmetric/symmetric encryption scheme. ... It is to those keys which EFS encrypted the ... That session key can only be retrieved by those same certificates. ...
    (microsoft.public.security)
  • Re: file security
    ... When enabling EFS on a computer, ... Subject: Again with the Encryption! ... >Copying saved certificates will not work--you have to export and import ... >the usual enquirer might find by looking under a search on Encryption. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot add accounts to EFS, cannot create a recovery agent
    ... You are working with EFS ... > encryption certificates not recovery certifciates. ...
    (microsoft.public.security)
  • RE: Relative Security Provided by Cached Domain Credentials?
    ... NTFS volumes, smart cards). ... I have seen mentioned the use of smartcards for efs certificates in this ... decreption or encryption for that matter only the personal certificate store ...
    (Focus-Microsoft)
  • RE: EPS
    ... are stored in the laptop user's profile directory and protected with a hash ... General information about EFS and data recovery: ... importing of certificates. ... We Encrypt all the folders on the PC. ...
    (microsoft.public.windowsxp.security_admin)
Quantcast