General discussion

Locked

Can't share EFS file on laptop

By melbob ·
I have large encrypted files on an external drive, and I want to reformat C: and reinstall XP. In preparation, I want to ensure I'll be able to get at those external files again afterwards.

XP has the facility to allow other users access to encrypted files via properties - advanced - details - 'add' button. I figure I should export my current certificate, reinstall, import those certificates and use that 'add' button to give myself access again, or something.

But: although the button is active, it does nothing when I press it. I think (please correct me if I'm wrong) that is because I'm on a standalone laptop, hence no domain or active directory or recovery agents?

Therefore I also think that means there's no way I can recover a file if the user is lost even if I have the certificates?

I don't want to have to wrap the reinstall with decryption & reencryption if I can possibly help it, because of the time (days!) and space requirements.

A colleague suggested I instead wrap the reinstall process with a temporary join to the corporate domain. Might that work, and if so what steps do I take?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jm In reply to Can't share EFS file on l ...

The add button should bring up a list right away. If that's not happening there is corruption in your OS. Encrytion and certificates are not dependent on active directory.

I recommend removing encryption from the file prior to the rebuild, and then restoring it after you reinstall the machine.

When you use encryption be SURE to make a system backup of your PC so you can restore users and certificates. System restores are not easy. Often times we go to do a restore and realize it's not possible and we need to do a scratch install. Be comfortable (e.g. test several times) with both full system backup and full system restore before using encryption.

Collapse -

by melbob In reply to

Corrupt Os? I just tried on another laptop and their add button works (shows local users), so I do believe you're right. Thanks, that's helpful.

Collapse -

by BFilmFan In reply to Can't share EFS file on l ...

You can export the EFS recovery agent certificates via the following process:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/102ee636-ca4b-4754-baf4-0eea64189c7f.mspx

You can import them in XP with this method:

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prnb_efs_uizt.asp

Collapse -

by melbob In reply to

I hadn't tried importing, since I had thought that having those other certs in my trusted store would be enough. But you're quite right - after importing, access is opened up. Thanks! I can get where I want to go, now.

One unsettling thing - and it may be my 'corrupt os' to blame (see other msg in thread)??? - but by way of a heads-up for anyone else, what I am now seeing has some scary effects:

1. initally, some encrypted .mdfs are accessable only by user 'SQLServer'
2. user 'me' imports SQLServer's certificate. I try to get at one of the files - yup, perfect.
3. I also look at the properties of some of the mdfs and they all show 'me' as being the ONLY user who can access them. Curious.
3. user 'me' deletes SQLServer's certificate from my personal store (i.e. undo the import)
4. I look at the properties of the mdfs again. The ones that I looked at before, or accessed before (i.e. steps 2 & 3) STILL show 'me' as the only user with access, and I can still get at them. Any ones that I did NOT look at before (in 2 & 3) show 'SQLServer' as having access. Oh dear, this isn't quite what I expected.
5. I start SQL server. It now can't get at the files that I accessed in 2 & 3 and marks the databases as suspect. Ouch, this should not be happening.

So: after importing another users certificate, I can access that users data, but the act of doing so (even if that act is simply viewing the encryption user via explorer properties dialog!) takes over control of that file. The original user no longer has access.

That's horrible. I can undo it / sort it out, but that's evil.

Collapse -

by melbob In reply to Can't share EFS file on l ...

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums