Unable to Read Efs Certificates From Registry.pol File
Backing upward EFS recovery keys is essential if you want to be able to recover encrypted documents after a disaster.
The Encrypting File System (EFS) lets you encrypt files so that unauthorized individuals can't read them. Normally, this is a good affair, because it helps secure data stored on a automobile's hard bulldoze. Still, this hack is concerned with what happens when something goes wrong?for example, if a user's machine becomes toast, taking their EFS individual key and document to Never-Never Land.
The primal to being able to recover encrypted files when something goes wrong is having a designated recovery agent already in place. So, if yous lose your EFS individual cardinal, the recovery amanuensis can decrypt your encrypted files in an emergency. Every time y'all encrypt a file, EFS generates a unique File Encryption Key (FEK) that it uses to encrypt simply that file. In other words, each encrypted file has its own unique FEK. In add-on, the FEK is itself encrypted past using your own EFS public key and incorporated into the header of the file. Later, if you want to read the encrypted file, EFS automatically uses your EFS private key to decrypt the FEK for the file and and so uses the FEK to decrypt the file itself. The FEK is thus used for both encrypting and decrypting the file (a process known every bit symmetric encryption), while your EFS public/private key pair is used for encrypting and decrypting the FEK (known as asymmetric encryption). This combination of symmetric (or secret-key) encryption and asymmetric (public-fundamental) encryption is the basis of how EFS works.
Just what happens if you lot lose your EFS individual key? This might happen if your machine has ii drives: a system bulldoze (C:) and a data bulldoze (D:), where encrypted files are stored. Past default, your EFS keys are stored on your system drive, and so if C: becomes corrupted, then the encrypted files on D: volition be inaccessible, correct? That's where the recovery agent comes in. Each time you encrypt a file, the FEK is encrypted with both your ain EFS public key and the EFS public central of the recovery amanuensis. That means that the recovery agent can always decrypt the FEK by using its EFS individual primal and thus decrypt the file when something goes wrong and your own individual cardinal is lost or decadent.
What are these recovery agents? By default, on standalone Windows 2000 machines, the built-in local administrator account is designated as a recovery agent, so y'all can always log on as ambassador and decrypt whatsoever encrypted files stored on the machine. Yous can add together other users as recovery agents past using the Local Security Policy console, which you lot can open by using StartRun secpol.msc. And then, expand Security SettingsPublic Key PoliciesEncrypted Data Recovery Agents, correct-click on that node, and select Add to start the Add Recovery Agent Wizard. Any user accounts that already have X.509v3 certificates on the auto can then be added as recovery agents.
On standalone Windows Server 2003 machines, the built-in administrator business relationship is not a designated recovery agent. In fact, there are no default recovery agents in Windows Server 2003 in a workgroup environment. Yous must designate an business relationship for this role. |
In a domain environment, things are a fiddling different. The born domain administrator account is the default recovery amanuensis for all machines in the domain, and you can specify boosted recovery agents by using Grouping Policy. Open up the Grouping Policy Object (GPO) for the domain, OU, or site in which the intended recovery amanuensis account resides, and navigate to Reckoner ConfigurationWindows SettingsSecurity SettingsPublic Key PoliciesEncrypted Data Recovery Agents. Correct-click on this node and select Add to first the aforementioned Add together Recovery Agent Wizard equally before, only this time browse the directory to locate the account you want to add.
Once Group Policy refreshes, your new recovery agent will exist able to decrypt files encrypted by other users, but only if the users encrypt the file subsequently the new recovery amanuensis was designated. This is considering files encrypted previously have no information about this new recovery agent in their headers and therefore tin can't be decrypted yet past the new recovery agent. Fortunately, if the user who encrypted a file simply opens and then closes the file, this alone is sufficient for EFS to add the new recovery agent to the encrypted file'south header. The moral of the story is that you lot should retrieve earlier you implement EFS, and designate recovery agents before you allow users to showtime encrypting files. Otherwise, you might detect yourself sending out an unusual email to everyone saying, "Please open and then shut all files you have encrypted on your machines" or something similar.
Backing Upwards Encrypted Information and EFS Keys
Backing upward files that have been encrypted using EFS is like shooting fish in a barrel: only use the Fill-in utility to back them upwards like any other files y'all would back up. What's actually important is that you likewise back up the EFS certificate and public/private key pair for each user who stores data on the auto. Since EFS is implemented on a per-user basis, this means yous accept to back up this information for each user individually. However, this information is stored in the user profile for each user, which ways that simply by backing upwardly user profiles you too back up their EFS certificate and keys. More specifically, a user's EFS private cardinal is stored in the \Awarding Data\Microsoft\Crypto\RSA subfolder within that user's profile, while the user's EFS public key certificate and public key are stored in the \Application Data\Microsoft\SystemCertificates\My Certificates\My folder nether the subfolders \Certificates and \Keys.
You tin can back upward users' EFS certificates and primal pairs as part of your regular backup program and, if yous accept roaming user profiles configured, y'all can do this centrally from the file server where such profiles are stored. If you don't have roaming profiles implemented and users shop of import documents on their own machines, it might be necessary to accept users dorsum upwards their ain profiles locally by using Backup to back up to file instead of tape. Unfortunately, this guards against profile corruption only, and it might non help if a deejay failure causes the backed-upwards contour to be lost every bit well. A amend culling is to have users export their EFS certificate and individual key to a floppy and take them store it somewhere safe. That way, if their system drive crashes, they can still decrypt data on their information drive by importing their previously exported EFS certificate and individual key.
The steps to export a user's EFS document and individual key are fortunately quite straightforward and can be done easily by whatever user. But open Net Explorer, select ToolsInternet Options, switch to the Content tab, click the Certificates push, and select the Personal tab, as shown in Figure 10-five.
Figure 10-5. Exporting the EFS document and private key for user jsmith
And so, select the document you want to export (the correct certificate will display "Encrypting File System" beneath "Document intended purposes," near the bottom of the properties page) and click Export to begin the Certificate Export Wizard. Cull the selection to include the user'due south private primal in the consign (the public primal is automatically included in the certificate), specify a password to protect your export file, and choose a name and destination for your export file. Equally mentioned previously, users will typically export their EFS keys to a floppy, but you could burn them to a CD or even store them on a secure network share if you adopt. The important thing is, wherever you export this data, proceed it rubber so that no i except the user and trusted administrators can access it. Anyone who gets their hands on the consign file and cracks the password tin employ it to decrypt any encrypted files they have admission to.
The result of this export process will be a *.pfx file (chosen a Personal Data Substitution file), located in the target binder or media. Then, if the user's EFS keys afterwards become corrupted and the need arises to reinstall these keys, this can be washed either by repeating the previous process (but clicking Import instead of Export in Figure x-5) or more simply by double-clicking on the .pfx file itself to start the Certificate Import Magician. This wizard is smart plenty to effigy out that the EFS document and individual cardinal stored in the .pfx file should be imported into the user's personal certificate store.
An interesting selection to consider when exporting a user's EFS certificate and private key is to delete the user's private central from his profile during the process. This option is labeled "Delete the individual key if the export is successful" and is plant on the penultimate page of the Document Export Sorcerer. If you choose this option, you'll be able to encrypt files by using EFS, simply you won't be able to decrypt them unless you lot supply the private central on some medium?something that might exist an selection to consider in a high security environs.
Restoring EFS Keys
If a user's EFS private key becomes corrupted or lost and the user hasn't backed up the key to a floppy as described in the previous section, then it'south fourth dimension for the recovery amanuensis to pace in. On a standalone motorcar, you can but log on using the built-in administrator account, locate the encrypted folders the user can no longer access in Windows Explorer, right-click on each folder, select Properties, click Avant-garde, and clear the "Encrypt contents to secure information" checkbox for each folder. This decrypts the files within the folders and enables the user to read them once more.
In a domain environment, you typically don't desire to log on to a user's motorcar as a domain ambassador and see a local user profile being created for your account equally a upshot. Instead, simply instruct the user to use the Fill-in utility to support to file any encrypted volumes or folders on her machine. The resulting backup file (*.bkf file) processes files it backs up as a data stream and preserves their encrypted status. Then, take the user re-create her .bkf file to a network share where you as domain administrator tin admission the backup file, restore information technology to another folder, decrypt whatever files the user needs, and copy these files to the share where the user can access them.
While this is the most common solution, there's another approach that'south worth considering: unite the user with his EFS keys again. Even if the user hasn't previously exported his keys to a floppy for safekeeping, chances are, in a domain surroundings, that you make regular backups of user's profiles (bold roaming profiles are enabled). By simply restoring a user's contour from backup y'all restore his EFS certificate and keys, assuasive him to read his encrypted files again. Then, tell him politely but firmly to immediately consign his certificate and keys to a floppy, because you don't want to have to go through this again!
If EFS is existence used to encrypt files on a file server where multiple users store their files, then this process can exist complicated if you've designated different recovery agents for different groups of users. In particular, you might demand to determine which recovery agents are designated for any encrypted files that users can no longer access. To practise this, y'all tin apply the efsinfo command-line utility included in the Windows 2000 Server Resource Kit. This handy little utility can tell you who originally encrypted a file and who the designated recovery agents for the file are. But type efsinfo /r /u filename , where filename includes the path to the encrypted file. Once yous know any recovery amanuensis for the file, you can proceed to decrypt it every bit shown previously.
What if the individual who tin can't access her encrypted files is your boss and she needs access to her files immediately? Export your own EFS certificate and private key to floppy as a domain ambassador or other recovery agent, walk the floppy over to your boss's function, insert the floppy into her machine, import the document and private primal, and decrypt her files. And then, delete the certificate and central from her motorcar. When she tries to encrypt a file again, a new EFS certificate and individual primal will automatically be generated. Smile, because you've acted similar Superman, and send her an e-mail afterwards asking for a raise.
Just what if your own EFS certificate and individual central equally domain administrator or recovery agent is lost or corrupt?
Backing Up Recovery Agent Keys
Obviously, it's a good thought for administrators and other recovery agents to also make backup copies of their own EFS certificates and private keys. Otherwise, a point of failure exists in this whole recovery process and users' encrypted files could be lost forever and unrecoverable.
If you're operating in a workgroup environment, think that the built-in local ambassador business relationship is the default recovery agent in Windows 2000. This means you accept to support the EFS certificate and private key of the administrator account, so log on to the car using this business relationship and apply StartRun secpol to open Local Security Policy as before. Select the Encrypted Data Recovery Agents node under Public Key Policies in the left pane, right-click the EFS certificate in the right pane, and select All TasksExport to starting time the Certificate Export Wizard. Choose the option to export the private key as well, specify a password to protect the export file, and specify a name and destination for exporting the information?typically, some grade of removable media, such equally a floppy. Go along that floppy rubber.
In a domain environment, the built-in domain ambassador account is the default recovery agent and the EFS certificate and private cardinal are located on the first domain controller in the domain (the ane that created the domain when you ran dcpromo on it). Log onto this machine using that account, use OutsetRun dompol.msc to open up the Domain Security Policy, select Encrypted Data Recovery Agents in the left pane, right-click the EFS certificate in the right pane, again select All TasksConsign to starting time the Document Export Wizard, and proceed as before. If you are not given the option to export the private key, you might not be logged onto the right domain controller, so change machines and effort again.
Some other method for exporting certificates and keys is to utilize the Certificates snap-in. Open a blank MMC console, add together this snap-in while logged on as administrator, expand Certificates - Electric current UserPersonalCertificates, and detect the certificate you want to back up by looking under the Intended Purposes column, as shown in Effigy 10-6. The ability of this arroyo is that yous tin also use it to dorsum up and restore other sorts of certificates and keys, including EFS keys.
Figure 10-6. Using the Certificates snap-in to back up a recovery amanuensis fundamental
At present that yous've backed up your recovery agent's EFS certificate and keys, y'all're ready for the worst?unless your canis familiaris eats your floppy!
Source: http://etutorials.org/Microsoft+Products/windows+server+hack/Chapter+10.+Backup+and+Recovery/Hack+94+Back+Up+EFS/
0 Response to "Unable to Read Efs Certificates From Registry.pol File"
Post a Comment