EFS Certificate Needed

[HonoredWriter]

How do I obtain a Recovery Agent certificate to recover/restore/decrypt some
previously encripted files? The certificates I have are not worthy to be
Recovery Agent certificates even though their intended purposes are clearly
stated. ( Shucks, I'm thinking this computer has intuitive intelligence.)
--
HonoredWriter

 

[Brian Komar]

You need to:
1) determine which certificate was the recovery agent. (use EFSINFO or the
General tab advanced button to find the thumbprint of the certificate
2) You need to determine who the certificate was issued to.
3) You need to log on at the computer where the certificate was generated as
the user that received the certificate
4) You need to check whether the certificate is still in that user's profile
(Certmgr.msc)
5) You can then export it and import it to the computer where you want to
perform the recovery process.

You cannot inject in a efs recovery agent certificate without having either
the previous recovery agent certificate and private key or the user efs
certificate and private key.

Brian

"HonoredWriter" <honoredwriter@dot.com> wrote in message
news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> How do I obtain a Recovery Agent certificate to recover/restore/decrypt
> some
> previously encripted files? The certificates I have are not worthy to be
> Recovery Agent certificates even though their intended purposes are
> clearly
> stated. ( Shucks, I'm thinking this computer has intuitive intelligence.)
> --
> HonoredWriter

 

[Roger Abell [MVP]]

One may generate and EFS recovery agent .pfx by use of
the cipher utility with the /r option. See cipher /?
After being installed, that recovery agent will only have
decrypt capabilities on files EFS-touched afterwords.

If you believe you already have a recovery agent set up
and it is unable to decrypt EFS files, then you probably
need to use the efsinfo utility to examine the thumbprint
of the files that may not be decrypted, verify that the
account from which you attempt actually has the recovery
agent private key installed within it, etc.

Why is it that you say
> The certificates I have are not worthy to be Recovery Agent
> certificates even though their intended purposes are clearly
> stated.
?? What is it that you are seeing and how? How are you
attempting to use this (these?) ?


"HonoredWriter" <honoredwriter@dot.com> wrote in message
news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> How do I obtain a Recovery Agent certificate to recover/restore/decrypt
> some
> previously encripted files? The certificates I have are not worthy to be
> Recovery Agent certificates even though their intended purposes are
> clearly
> stated. ( Shucks, I'm thinking this computer has intuitive intelligence.)
> --
> HonoredWriter

 

[HonoredWriter]

Dear Brian and Roger
The certificates I have were recently installed days after the files were
encrypted. And I think that I am in a no win situation, because I
re-installed Windows after the encryption. I should have deciphered the files
prior to re-installing Windows. The keys have probably been
discarded/changed. Also I changed the name of the User. It was foolish of me
to believe that I could decrypt files after I had re-installed Windows. The
files were not deleted because they are located on another drive and
partition. I was pulling for straws by assuming I could use another
certficate to decipher the files. Me think I will keep one or two of them on
my system to remind me what not to do (smile). Thanks for all of your good
help with the sharing of your knowledge. It is amazing how much smarter one
gets when one makes a foolish mistake. "If any man thinks he is wise let him
become a fool so he can become wise."
Thanks for your assistance.
--
HonoredWriter


"Roger Abell [MVP]" wrote:

> One may generate and EFS recovery agent .pfx by use of
> the cipher utility with the /r option. See cipher /?
> After being installed, that recovery agent will only have
> decrypt capabilities on files EFS-touched afterwords.
>
> If you believe you already have a recovery agent set up
> and it is unable to decrypt EFS files, then you probably
> need to use the efsinfo utility to examine the thumbprint
> of the files that may not be decrypted, verify that the
> account from which you attempt actually has the recovery
> agent private key installed within it, etc.
>
> Why is it that you say
> > The certificates I have are not worthy to be Recovery Agent
> > certificates even though their intended purposes are clearly
> > stated.
> ?? What is it that you are seeing and how? How are you
> attempting to use this (these?) ?
>
>
> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> > How do I obtain a Recovery Agent certificate to recover/restore/decrypt
> > some
> > previously encripted files? The certificates I have are not worthy to be
> > Recovery Agent certificates even though their intended purposes are
> > clearly
> > stated. ( Shucks, I'm thinking this computer has intuitive intelligence.)
> > --
> > HonoredWriter
>
>
>

 

[HonoredWriter]

dDear Brian and Roger
It was an error message that I received when I attempted to use several
other certficates that I had to be used. Windows would not allow me to use
them. With the information that the two of you provided will be of good use
in my training. (smile). Thanks. I will keep you informed of my progress. I
will use the information contained in DOS to attempt recovery.
--
HonoredWriter


"Brian Komar" wrote:

> You need to:
> 1) determine which certificate was the recovery agent. (use EFSINFO or the
> General tab advanced button to find the thumbprint of the certificate
> 2) You need to determine who the certificate was issued to.
> 3) You need to log on at the computer where the certificate was generated as
> the user that received the certificate
> 4) You need to check whether the certificate is still in that user's profile
> (Certmgr.msc)
> 5) You can then export it and import it to the computer where you want to
> perform the recovery process.
>
> You cannot inject in a efs recovery agent certificate without having either
> the previous recovery agent certificate and private key or the user efs
> certificate and private key.
>
> Brian
>
> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> > How do I obtain a Recovery Agent certificate to recover/restore/decrypt
> > some
> > previously encripted files? The certificates I have are not worthy to be
> > Recovery Agent certificates even though their intended purposes are
> > clearly
> > stated. ( Shucks, I'm thinking this computer has intuitive intelligence.)
> > --
> > HonoredWriter
>

 

[GreenieLeBrun]

HonoredWriter wrote:
> Dear Brian and Roger
> The certificates I have were recently installed days after the files
> were encrypted. And I think that I am in a no win situation, because I
> re-installed Windows after the encryption. I should have deciphered
> the files prior to re-installing Windows. The keys have probably been
> discarded/changed. Also I changed the name of the User. It was
> foolish of me to believe that I could decrypt files after I had
> re-installed Windows. The files were not deleted because they are
> located on another drive and partition. I was pulling for straws by
> assuming I could use another certficate to decipher the files. Me
> think I will keep one or two of them on my system to remind me what
> not to do (smile). Thanks for all of your good help with the sharing
> of your knowledge. It is amazing how much smarter one gets when one
> makes a foolish mistake. "If any man thinks he is wise let him become
> a fool so he can become wise."
> Thanks for your assistance.
>
>> One may generate and EFS recovery agent .pfx by use of
>> the cipher utility with the /r option. See cipher /?
>> After being installed, that recovery agent will only have
>> decrypt capabilities on files EFS-touched afterwords.
>>
>> If you believe you already have a recovery agent set up
>> and it is unable to decrypt EFS files, then you probably
>> need to use the efsinfo utility to examine the thumbprint
>> of the files that may not be decrypted, verify that the
>> account from which you attempt actually has the recovery
>> agent private key installed within it, etc.
>>
>> Why is it that you say
>>> The certificates I have are not worthy to be Recovery Agent
>>> certificates even though their intended purposes are clearly
>>> stated.
>> ?? What is it that you are seeing and how? How are you
>> attempting to use this (these?) ?
>>
>>
>> "HonoredWriter" <honoredwriter@dot.com> wrote in message
>> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
>>> How do I obtain a Recovery Agent certificate to
>>> recover/restore/decrypt some
>>> previously encripted files? The certificates I have are not worthy
>>> to be Recovery Agent certificates even though their intended
>>> purposes are clearly
>>> stated. ( Shucks, I'm thinking this computer has intuitive
>>> intelligence.) --
>>> HonoredWriter

If you re-installed Windows AFTER the files were encrypted then, I am
afraid, you are out of luck as the SID (security Identifyer) will have
changed (see http://en.wikipedia.org/wiki/Security_Identifier)

You may like to peruse the following links for more information on the EFS

The Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us

How to back up the recovery agent Encrypting File System (EFS) private key
in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/kb/241201

How To Encrypt a Folder in Windows XP
http://support.microsoft.com/?id=308989

How To Remove File Encryption in Windows XP
http://support.microsoft.com/?id=308993

How To Encrypt a File in Windows XP
http://support.microsoft.com/?id=307877

 

[HonoredWriter]

Dear GreenieLaBrun
Thanks for the information. Some of which I have read. Thanks to all of you
guys for your assistance. The other major thing I did to help myself was to
make a backup DVD, so I now have a copy of some of the files, not all, to
retore. Foe sure I will follow "Windows Recommendations". Thanks.
--
HonoredWriter


"GreenieLeBrun" wrote:

>
>
> HonoredWriter wrote:
> > Dear Brian and Roger
> > The certificates I have were recently installed days after the files
> > were encrypted. And I think that I am in a no win situation, because I
> > re-installed Windows after the encryption. I should have deciphered
> > the files prior to re-installing Windows. The keys have probably been
> > discarded/changed. Also I changed the name of the User. It was
> > foolish of me to believe that I could decrypt files after I had
> > re-installed Windows. The files were not deleted because they are
> > located on another drive and partition. I was pulling for straws by
> > assuming I could use another certficate to decipher the files. Me
> > think I will keep one or two of them on my system to remind me what
> > not to do (smile). Thanks for all of your good help with the sharing
> > of your knowledge. It is amazing how much smarter one gets when one
> > makes a foolish mistake. "If any man thinks he is wise let him become
> > a fool so he can become wise."
> > Thanks for your assistance.
> >
> >> One may generate and EFS recovery agent .pfx by use of
> >> the cipher utility with the /r option. See cipher /?
> >> After being installed, that recovery agent will only have
> >> decrypt capabilities on files EFS-touched afterwords.
> >>
> >> If you believe you already have a recovery agent set up
> >> and it is unable to decrypt EFS files, then you probably
> >> need to use the efsinfo utility to examine the thumbprint
> >> of the files that may not be decrypted, verify that the
> >> account from which you attempt actually has the recovery
> >> agent private key installed within it, etc.
> >>
> >> Why is it that you say
> >>> The certificates I have are not worthy to be Recovery Agent
> >>> certificates even though their intended purposes are clearly
> >>> stated.
> >> ?? What is it that you are seeing and how? How are you
> >> attempting to use this (these?) ?
> >>
> >>
> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> >> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> >>> How do I obtain a Recovery Agent certificate to
> >>> recover/restore/decrypt some
> >>> previously encripted files? The certificates I have are not worthy
> >>> to be Recovery Agent certificates even though their intended
> >>> purposes are clearly
> >>> stated. ( Shucks, I'm thinking this computer has intuitive
> >>> intelligence.) --
> >>> HonoredWriter
>
> If you re-installed Windows AFTER the files were encrypted then, I am
> afraid, you are out of luck as the SID (security Identifyer) will have
> changed (see http://en.wikipedia.org/wiki/Security_Identifier)
>
> You may like to peruse the following links for more information on the EFS
>
> The Encrypting File System
> http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
>
> Best practices for the Encrypting File System
> http://support.microsoft.com/kb/223316/en-us
>
> How to back up the recovery agent Encrypting File System (EFS) private key
> in Windows Server 2003, in Windows 2000, and in Windows XP
> http://support.microsoft.com/kb/241201
>
> How To Encrypt a Folder in Windows XP
> http://support.microsoft.com/?id=308989
>
> How To Remove File Encryption in Windows XP
> http://support.microsoft.com/?id=308993
>
> How To Encrypt a File in Windows XP
> http://support.microsoft.com/?id=307877
>
>
>

 

[Roger Abell [MVP]]

Backup and save on non-degrading media the EFS DRA .pfx file
and try to remember its password. That is without doubt the first
and most important thing you can do once a DRA has been defined.

For EFS encrypted files in the absence of a DRA, the .pfx on a
per user basis can allow for that user being able to get to their
EFS encrypted files after a disaster (reformat/install).

Roger

"HonoredWriter" <honoredwriter@dot.com> wrote in message
news:A6594C7E-13F0-4477-8BAB-A70E90B5DAEB@microsoft.com...
> Dear GreenieLaBrun
> Thanks for the information. Some of which I have read. Thanks to all of
> you
> guys for your assistance. The other major thing I did to help myself was
> to
> make a backup DVD, so I now have a copy of some of the files, not all, to
> retore. Foe sure I will follow "Windows Recommendations". Thanks.
> --
> HonoredWriter
>
>
> "GreenieLeBrun" wrote:
>
>>
>>
>> HonoredWriter wrote:
>> > Dear Brian and Roger
>> > The certificates I have were recently installed days after the files
>> > were encrypted. And I think that I am in a no win situation, because I
>> > re-installed Windows after the encryption. I should have deciphered
>> > the files prior to re-installing Windows. The keys have probably been
>> > discarded/changed. Also I changed the name of the User. It was
>> > foolish of me to believe that I could decrypt files after I had
>> > re-installed Windows. The files were not deleted because they are
>> > located on another drive and partition. I was pulling for straws by
>> > assuming I could use another certficate to decipher the files. Me
>> > think I will keep one or two of them on my system to remind me what
>> > not to do (smile). Thanks for all of your good help with the sharing
>> > of your knowledge. It is amazing how much smarter one gets when one
>> > makes a foolish mistake. "If any man thinks he is wise let him become
>> > a fool so he can become wise."
>> > Thanks for your assistance.
>> >
>> >> One may generate and EFS recovery agent .pfx by use of
>> >> the cipher utility with the /r option. See cipher /?
>> >> After being installed, that recovery agent will only have
>> >> decrypt capabilities on files EFS-touched afterwords.
>> >>
>> >> If you believe you already have a recovery agent set up
>> >> and it is unable to decrypt EFS files, then you probably
>> >> need to use the efsinfo utility to examine the thumbprint
>> >> of the files that may not be decrypted, verify that the
>> >> account from which you attempt actually has the recovery
>> >> agent private key installed within it, etc.
>> >>
>> >> Why is it that you say
>> >>> The certificates I have are not worthy to be Recovery Agent
>> >>> certificates even though their intended purposes are clearly
>> >>> stated.
>> >> ?? What is it that you are seeing and how? How are you
>> >> attempting to use this (these?) ?
>> >>
>> >>
>> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
>> >> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
>> >>> How do I obtain a Recovery Agent certificate to
>> >>> recover/restore/decrypt some
>> >>> previously encripted files? The certificates I have are not worthy
>> >>> to be Recovery Agent certificates even though their intended
>> >>> purposes are clearly
>> >>> stated. ( Shucks, I'm thinking this computer has intuitive
>> >>> intelligence.) --
>> >>> HonoredWriter
>>
>> If you re-installed Windows AFTER the files were encrypted then, I am
>> afraid, you are out of luck as the SID (security Identifyer) will have
>> changed (see http://en.wikipedia.org/wiki/Security_Identifier)
>>
>> You may like to peruse the following links for more information on the
>> EFS
>>
>> The Encrypting File System
>> http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
>>
>> Best practices for the Encrypting File System
>> http://support.microsoft.com/kb/223316/en-us
>>
>> How to back up the recovery agent Encrypting File System (EFS) private
>> key
>> in Windows Server 2003, in Windows 2000, and in Windows XP
>> http://support.microsoft.com/kb/241201
>>
>> How To Encrypt a Folder in Windows XP
>> http://support.microsoft.com/?id=308989
>>
>> How To Remove File Encryption in Windows XP
>> http://support.microsoft.com/?id=308993
>>
>> How To Encrypt a File in Windows XP
>> http://support.microsoft.com/?id=307877
>>
>>
>>

 

[HonoredWriter]

Dear Roger
Thanks again for those words of wisdom. And once again you have filled my
plate and my cup. Thanks.

I noticed one oddity though. When I was reloading the backup files, I could
not load some of them because the encrypted files were still present. I
delegated those encrypted files to the recycle bin. So when I was finised
with all of the transfering and sending to the recycle bin, I wanted to see
what had happened to all of the encrypted files I put in the recycle bin,
and, lo and behold, they were not encrypted anymore but in plain text. Since
I went through the hassle of cataloging and restoring saved files, I decided
to call it a night (morning?) and just emptied the thing. I can live with
that.

--
HonoredWriter


"Roger Abell [MVP]" wrote:

> Backup and save on non-degrading media the EFS DRA .pfx file
> and try to remember its password. That is without doubt the first
> and most important thing you can do once a DRA has been defined.
>
> For EFS encrypted files in the absence of a DRA, the .pfx on a
> per user basis can allow for that user being able to get to their
> EFS encrypted files after a disaster (reformat/install).
>
> Roger
>
> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> news:A6594C7E-13F0-4477-8BAB-A70E90B5DAEB@microsoft.com...
> > Dear GreenieLaBrun
> > Thanks for the information. Some of which I have read. Thanks to all of
> > you
> > guys for your assistance. The other major thing I did to help myself was
> > to
> > make a backup DVD, so I now have a copy of some of the files, not all, to
> > retore. Foe sure I will follow "Windows Recommendations". Thanks.
> > --
> > HonoredWriter
> >
> >
> > "GreenieLeBrun" wrote:
> >
> >>
> >>
> >> HonoredWriter wrote:
> >> > Dear Brian and Roger
> >> > The certificates I have were recently installed days after the files
> >> > were encrypted. And I think that I am in a no win situation, because I
> >> > re-installed Windows after the encryption. I should have deciphered
> >> > the files prior to re-installing Windows. The keys have probably been
> >> > discarded/changed. Also I changed the name of the User. It was
> >> > foolish of me to believe that I could decrypt files after I had
> >> > re-installed Windows. The files were not deleted because they are
> >> > located on another drive and partition. I was pulling for straws by
> >> > assuming I could use another certficate to decipher the files. Me
> >> > think I will keep one or two of them on my system to remind me what
> >> > not to do (smile). Thanks for all of your good help with the sharing
> >> > of your knowledge. It is amazing how much smarter one gets when one
> >> > makes a foolish mistake. "If any man thinks he is wise let him become
> >> > a fool so he can become wise."
> >> > Thanks for your assistance.
> >> >
> >> >> One may generate and EFS recovery agent .pfx by use of
> >> >> the cipher utility with the /r option. See cipher /?
> >> >> After being installed, that recovery agent will only have
> >> >> decrypt capabilities on files EFS-touched afterwords.
> >> >>
> >> >> If you believe you already have a recovery agent set up
> >> >> and it is unable to decrypt EFS files, then you probably
> >> >> need to use the efsinfo utility to examine the thumbprint
> >> >> of the files that may not be decrypted, verify that the
> >> >> account from which you attempt actually has the recovery
> >> >> agent private key installed within it, etc.
> >> >>
> >> >> Why is it that you say
> >> >>> The certificates I have are not worthy to be Recovery Agent
> >> >>> certificates even though their intended purposes are clearly
> >> >>> stated.
> >> >> ?? What is it that you are seeing and how? How are you
> >> >> attempting to use this (these?) ?
> >> >>
> >> >>
> >> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> >> >> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> >> >>> How do I obtain a Recovery Agent certificate to
> >> >>> recover/restore/decrypt some
> >> >>> previously encripted files? The certificates I have are not worthy
> >> >>> to be Recovery Agent certificates even though their intended
> >> >>> purposes are clearly
> >> >>> stated. ( Shucks, I'm thinking this computer has intuitive
> >> >>> intelligence.) --
> >> >>> HonoredWriter
> >>
> >> If you re-installed Windows AFTER the files were encrypted then, I am
> >> afraid, you are out of luck as the SID (security Identifyer) will have
> >> changed (see http://en.wikipedia.org/wiki/Security_Identifier)
> >>
> >> You may like to peruse the following links for more information on the
> >> EFS
> >>
> >> The Encrypting File System
> >> http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
> >>
> >> Best practices for the Encrypting File System
> >> http://support.microsoft.com/kb/223316/en-us
> >>
> >> How to back up the recovery agent Encrypting File System (EFS) private
> >> key
> >> in Windows Server 2003, in Windows 2000, and in Windows XP
> >> http://support.microsoft.com/kb/241201
> >>
> >> How To Encrypt a Folder in Windows XP
> >> http://support.microsoft.com/?id=308989
> >>
> >> How To Remove File Encryption in Windows XP
> >> http://support.microsoft.com/?id=308993
> >>
> >> How To Encrypt a File in Windows XP
> >> http://support.microsoft.com/?id=307877
> >>
> >>
> >>
>
>
>

 

[Roger Abell [MVP]]

Oh my! I have to admit that I have no clue why what you report
happened, i.e. that the EFS files were in the clear once moved
to the recycle bin, or why a restore was failing due to their being
present for that matter. Normally, a backup and restore of an EFS
encrypted file is one of the main ways to move it between systems
without disturbing its state as an EFS encrypted file. That these
were in the clear after only moving them to the recycle bin seems
to indicate that the account you were using had the proper EFS key
needed for decryption (otherwise decryption is impossible).

Roger

"HonoredWriter" <honoredwriter@dot.com> wrote in message
news:4CDF8352-A247-479B-8D98-8468D99299AA@microsoft.com...
> Dear Roger
> Thanks again for those words of wisdom. And once again you have filled my
> plate and my cup. Thanks.
>
> I noticed one oddity though. When I was reloading the backup files, I
> could
> not load some of them because the encrypted files were still present. I
> delegated those encrypted files to the recycle bin. So when I was finised
> with all of the transfering and sending to the recycle bin, I wanted to
> see
> what had happened to all of the encrypted files I put in the recycle bin,
> and, lo and behold, they were not encrypted anymore but in plain text.
> Since
> I went through the hassle of cataloging and restoring saved files, I
> decided
> to call it a night (morning?) and just emptied the thing. I can live with
> that.
>
> --
> HonoredWriter
>
>
> "Roger Abell [MVP]" wrote:
>
>> Backup and save on non-degrading media the EFS DRA .pfx file
>> and try to remember its password. That is without doubt the first
>> and most important thing you can do once a DRA has been defined.
>>
>> For EFS encrypted files in the absence of a DRA, the .pfx on a
>> per user basis can allow for that user being able to get to their
>> EFS encrypted files after a disaster (reformat/install).
>>
>> Roger
>>
>> "HonoredWriter" <honoredwriter@dot.com> wrote in message
>> news:A6594C7E-13F0-4477-8BAB-A70E90B5DAEB@microsoft.com...
>> > Dear GreenieLaBrun
>> > Thanks for the information. Some of which I have read. Thanks to all of
>> > you
>> > guys for your assistance. The other major thing I did to help myself
>> > was
>> > to
>> > make a backup DVD, so I now have a copy of some of the files, not all,
>> > to
>> > retore. Foe sure I will follow "Windows Recommendations". Thanks.
>> > --
>> > HonoredWriter
>> >
>> >
>> > "GreenieLeBrun" wrote:
>> >
>> >>
>> >>
>> >> HonoredWriter wrote:
>> >> > Dear Brian and Roger
>> >> > The certificates I have were recently installed days after the files
>> >> > were encrypted. And I think that I am in a no win situation, because
>> >> > I
>> >> > re-installed Windows after the encryption. I should have deciphered
>> >> > the files prior to re-installing Windows. The keys have probably
>> >> > been
>> >> > discarded/changed. Also I changed the name of the User. It was
>> >> > foolish of me to believe that I could decrypt files after I had
>> >> > re-installed Windows. The files were not deleted because they are
>> >> > located on another drive and partition. I was pulling for straws by
>> >> > assuming I could use another certficate to decipher the files. Me
>> >> > think I will keep one or two of them on my system to remind me what
>> >> > not to do (smile). Thanks for all of your good help with the sharing
>> >> > of your knowledge. It is amazing how much smarter one gets when one
>> >> > makes a foolish mistake. "If any man thinks he is wise let him
>> >> > become
>> >> > a fool so he can become wise."
>> >> > Thanks for your assistance.
>> >> >
>> >> >> One may generate and EFS recovery agent .pfx by use of
>> >> >> the cipher utility with the /r option. See cipher /?
>> >> >> After being installed, that recovery agent will only have
>> >> >> decrypt capabilities on files EFS-touched afterwords.
>> >> >>
>> >> >> If you believe you already have a recovery agent set up
>> >> >> and it is unable to decrypt EFS files, then you probably
>> >> >> need to use the efsinfo utility to examine the thumbprint
>> >> >> of the files that may not be decrypted, verify that the
>> >> >> account from which you attempt actually has the recovery
>> >> >> agent private key installed within it, etc.
>> >> >>
>> >> >> Why is it that you say
>> >> >>> The certificates I have are not worthy to be Recovery Agent
>> >> >>> certificates even though their intended purposes are clearly
>> >> >>> stated.
>> >> >> ?? What is it that you are seeing and how? How are you
>> >> >> attempting to use this (these?) ?
>> >> >>
>> >> >>
>> >> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
>> >> >> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
>> >> >>> How do I obtain a Recovery Agent certificate to
>> >> >>> recover/restore/decrypt some
>> >> >>> previously encripted files? The certificates I have are not worthy
>> >> >>> to be Recovery Agent certificates even though their intended
>> >> >>> purposes are clearly
>> >> >>> stated. ( Shucks, I'm thinking this computer has intuitive
>> >> >>> intelligence.) --
>> >> >>> HonoredWriter
>> >>
>> >> If you re-installed Windows AFTER the files were encrypted then, I am
>> >> afraid, you are out of luck as the SID (security Identifyer) will have
>> >> changed (see http://en.wikipedia.org/wiki/Security_Identifier)
>> >>
>> >> You may like to peruse the following links for more information on the
>> >> EFS
>> >>
>> >> The Encrypting File System
>> >> http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
>> >>
>> >> Best practices for the Encrypting File System
>> >> http://support.microsoft.com/kb/223316/en-us
>> >>
>> >> How to back up the recovery agent Encrypting File System (EFS) private
>> >> key
>> >> in Windows Server 2003, in Windows 2000, and in Windows XP
>> >> http://support.microsoft.com/kb/241201
>> >>
>> >> How To Encrypt a Folder in Windows XP
>> >> http://support.microsoft.com/?id=308989
>> >>
>> >> How To Remove File Encryption in Windows XP
>> >> http://support.microsoft.com/?id=308993
>> >>
>> >> How To Encrypt a File in Windows XP
>> >> http://support.microsoft.com/?id=307877
>> >>
>> >>
>> >>
>>
>>
>>

 

[HonoredWriter]

Dear Roger
.....But all is well now and everything is alright. I have gained some more
knowledge. Thanks. I guess we can put this bippy to bed now. See ya. It has
been a pleasure....
--
HonoredWriter


"Roger Abell [MVP]" wrote:

> Oh my! I have to admit that I have no clue why what you report
> happened, i.e. that the EFS files were in the clear once moved
> to the recycle bin, or why a restore was failing due to their being
> present for that matter. Normally, a backup and restore of an EFS
> encrypted file is one of the main ways to move it between systems
> without disturbing its state as an EFS encrypted file. That these
> were in the clear after only moving them to the recycle bin seems
> to indicate that the account you were using had the proper EFS key
> needed for decryption (otherwise decryption is impossible).
>
> Roger
>
> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> news:4CDF8352-A247-479B-8D98-8468D99299AA@microsoft.com...
> > Dear Roger
> > Thanks again for those words of wisdom. And once again you have filled my
> > plate and my cup. Thanks.
> >
> > I noticed one oddity though. When I was reloading the backup files, I
> > could
> > not load some of them because the encrypted files were still present. I
> > delegated those encrypted files to the recycle bin. So when I was finised
> > with all of the transfering and sending to the recycle bin, I wanted to
> > see
> > what had happened to all of the encrypted files I put in the recycle bin,
> > and, lo and behold, they were not encrypted anymore but in plain text.
> > Since
> > I went through the hassle of cataloging and restoring saved files, I
> > decided
> > to call it a night (morning?) and just emptied the thing. I can live with
> > that.
> >
> > --
> > HonoredWriter
> >
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> Backup and save on non-degrading media the EFS DRA .pfx file
> >> and try to remember its password. That is without doubt the first
> >> and most important thing you can do once a DRA has been defined.
> >>
> >> For EFS encrypted files in the absence of a DRA, the .pfx on a
> >> per user basis can allow for that user being able to get to their
> >> EFS encrypted files after a disaster (reformat/install).
> >>
> >> Roger
> >>
> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> >> news:A6594C7E-13F0-4477-8BAB-A70E90B5DAEB@microsoft.com...
> >> > Dear GreenieLaBrun
> >> > Thanks for the information. Some of which I have read. Thanks to all of
> >> > you
> >> > guys for your assistance. The other major thing I did to help myself
> >> > was
> >> > to
> >> > make a backup DVD, so I now have a copy of some of the files, not all,
> >> > to
> >> > retore. Foe sure I will follow "Windows Recommendations". Thanks.
> >> > --
> >> > HonoredWriter
> >> >
> >> >
> >> > "GreenieLeBrun" wrote:
> >> >
> >> >>
> >> >>
> >> >> HonoredWriter wrote:
> >> >> > Dear Brian and Roger
> >> >> > The certificates I have were recently installed days after the files
> >> >> > were encrypted. And I think that I am in a no win situation, because
> >> >> > I
> >> >> > re-installed Windows after the encryption. I should have deciphered
> >> >> > the files prior to re-installing Windows. The keys have probably
> >> >> > been
> >> >> > discarded/changed. Also I changed the name of the User. It was
> >> >> > foolish of me to believe that I could decrypt files after I had
> >> >> > re-installed Windows. The files were not deleted because they are
> >> >> > located on another drive and partition. I was pulling for straws by
> >> >> > assuming I could use another certficate to decipher the files. Me
> >> >> > think I will keep one or two of them on my system to remind me what
> >> >> > not to do (smile). Thanks for all of your good help with the sharing
> >> >> > of your knowledge. It is amazing how much smarter one gets when one
> >> >> > makes a foolish mistake. "If any man thinks he is wise let him
> >> >> > become
> >> >> > a fool so he can become wise."
> >> >> > Thanks for your assistance.
> >> >> >
> >> >> >> One may generate and EFS recovery agent .pfx by use of
> >> >> >> the cipher utility with the /r option. See cipher /?
> >> >> >> After being installed, that recovery agent will only have
> >> >> >> decrypt capabilities on files EFS-touched afterwords.
> >> >> >>
> >> >> >> If you believe you already have a recovery agent set up
> >> >> >> and it is unable to decrypt EFS files, then you probably
> >> >> >> need to use the efsinfo utility to examine the thumbprint
> >> >> >> of the files that may not be decrypted, verify that the
> >> >> >> account from which you attempt actually has the recovery
> >> >> >> agent private key installed within it, etc.
> >> >> >>
> >> >> >> Why is it that you say
> >> >> >>> The certificates I have are not worthy to be Recovery Agent
> >> >> >>> certificates even though their intended purposes are clearly
> >> >> >>> stated.
> >> >> >> ?? What is it that you are seeing and how? How are you
> >> >> >> attempting to use this (these?) ?
> >> >> >>
> >> >> >>
> >> >> >> "HonoredWriter" <honoredwriter@dot.com> wrote in message
> >> >> >> news:29109205-2BD1-4FB3-9465-1F84B2DAD118@microsoft.com...
> >> >> >>> How do I obtain a Recovery Agent certificate to
> >> >> >>> recover/restore/decrypt some
> >> >> >>> previously encripted files? The certificates I have are not worthy
> >> >> >>> to be Recovery Agent certificates even though their intended
> >> >> >>> purposes are clearly
> >> >> >>> stated. ( Shucks, I'm thinking this computer has intuitive
> >> >> >>> intelligence.) --
> >> >> >>> HonoredWriter
> >> >>
> >> >> If you re-installed Windows AFTER the files were encrypted then, I am
> >> >> afraid, you are out of luck as the SID (security Identifyer) will have
> >> >> changed (see http://en.wikipedia.org/wiki/Security_Identifier)
> >> >>
> >> >> You may like to peruse the following links for more information on the
> >> >> EFS
> >> >>
> >> >> The Encrypting File System
> >> >> http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
> >> >>
> >> >> Best practices for the Encrypting File System
> >> >> http://support.microsoft.com/kb/223316/en-us
> >> >>
> >> >> How to back up the recovery agent Encrypting File System (EFS) private
> >> >> key
> >> >> in Windows Server 2003, in Windows 2000, and in Windows XP
> >> >> http://support.microsoft.com/kb/241201
> >> >>
> >> >> How To Encrypt a Folder in Windows XP
> >> >> http://support.microsoft.com/?id=308989
> >> >>
> >> >> How To Remove File Encryption in Windows XP
> >> >> http://support.microsoft.com/?id=308993
> >> >>
> >> >> How To Encrypt a File in Windows XP
> >> >> http://support.microsoft.com/?id=307877
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>