1

I have a machine here that is joined to a domain. Some days ago, I did a disk image of that workstation because the HDD was begin to fail. I put the new drive in the machine and the user now complains that he cannot read some of his files. It appears he has a folder tree encrypted by EFS. I put the old disk back in his machine and still cannot read those encrypted files... Is there a way to recover them?

nrgyz
  • 560
  • 2
  • 9

1 Answers1

2

If you setup recover agents in group policy, you should be able to install the recovery agent's private key onto the new machine and decrypt the files when logged in as that user. Also another option would be to see if you can export the users private key from the CA or if it has already been exported somewhere else and install this key for the user. If neither of these are a viable option I believe you are pretty much SOL.

EDIT: to answer question in comments.

First, you will need your recovery agent's private (.pfx) key+cert not just the certificate (.cer)

To import your private key (.pfx) you need to do the following:

  1. Log on to your computer using the recovery agent account
  2. Browse to your private (.pfx) key, then right click on it
  3. Click Install PFX to start the Certificate Import wizard.
  4. Click Next and confirm the file location and name.
  5. Click Next. Type the password for the private key, and then click Next.
  6. Click Place all certificates in the following store, and then click Browse.
  7. Click Personal, and then click OK .
  8. Click Finish, click Yes to add the certificate, and then click OK.

Once you have installed the private key, you will be able to decrypt the files.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • I have already created a recovery agent in the past as the Administrator's domain account. I have a copy of this certificate (.cer) in a safe place. What is the procedure to install it? – nrgyz Nov 30 '09 at 17:20
  • Which version of windows are you using XP, Vista, 7? – Zypher Nov 30 '09 at 17:28
  • Windows XP Professional – nrgyz Nov 30 '09 at 17:35
  • @Zypher: Did your procedure but still getting 'Access denied' when decrypting the files... Am I OOL? – nrgyz Nov 30 '09 at 17:55
  • Anyone can explain me why I can't just put the old drive on the same hardware and decrypt them? The user account was untouched. – nrgyz Nov 30 '09 at 18:33
  • For posterity: an "Access Denied" error is *not* EFS-encrypted file, it is an ACL/permissions issue ([more explanation here](http://www.techrepublic.com/article/get-it-done-remove-efs-from-win2kxp-clients-to-avoid-security-breaches/5035070)). In that case, be sure to use elevated ("Run as administrator") permissions on Vista or Win7 clients, and edit the ACLs to allow the user control of his files again, possibly taking/granting ownership of the files as needed. – ewall Aug 15 '11 at 15:35