Unable to get a DRA to work with EFS, Help!

jelangley

Hi,

I'm currently working on a stand alone XP machine and have created a file, encrypted the file as a user called joe bloggs.

Me, the administrator of the machine, have ran the cipher command (cipher /r:filename) and created my certificate and key. Have then gone to local security policy and imported the certificate so that I am now a designated DRA.

If i attempt to de-crypted the file, all i get is access denied?

If i add myself as a transparent reader of the file, all i get is error code 5.

Please help!

sprkymrk

I think you have to create the RA first, then it will be able to decrypt any files encrypted by EFS afterwards. You can't encrypt a file first, then decide to have a recovery agent, otherwise anyone who owns/steals the box can decrypt the files by making themselves the RA.

sprkymrk

See this:
http://support.microsoft.com/kb/241201

Specifically:

You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After you decrypt the FEK, you can use the FEK to decrypt the file.

If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent's private key, you can decrypt the FEK, and then decrypt the file.

Here is the order as it appears to me:

1.EFS uses an encryption key that is dynamically generated to encrypt the file.
2.The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute
3.Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key.
etc.

So when the file itself is encrypted, that is when the private key AND RA key are added as an EFS attribute. If there was no RA designated at the time the file was encrypted, no RA created afterwards can decrypt the file.

Opi

lets say a employee encrypted some files, he gets fired and there is no DRA available.

I have learned that you can't take ownership of these files, you can only backup the files. This is correct right ?

How can i retrieve these files ?

sprkymrk

Opi wrote:

lets say a employee encrypted some files, he gets fired and there is no DRA available.

I have learned that you can't take ownership of these files, you can only backup the files. This is correct right ?

How can i retrieve these files ?

You can't. Even if you didn't delete the user account, unless you know the password he/she used, you can't retrieve these files. If you reset the user's password through ADUC, those files are no longer recoverable.

As far as taking ownership and/or backing them up - I don't know, but it doesn't matter as that will not help you decrypt them. There may be a brute-force way of cracking EFS, as I have heard it is exploitable, but I don't have that information if it exists.

Unless you have a Recovery Agent designated BEFORE the files are encrypted, you are basically out of luck.

Opi

ok thanx for the info sprkymrk