Having written thousands of articles over the last 13 years or so, I tend to get a lot of mail from readers asking a lot of diverse questions. The one question I get asked more than any other is how to recover encrypted files. Typically what happens is that either Windows crashes or someone decides to reformat the hard drive and reinstall Windows, forgetting that the machine contains another volume that is full of encrypted files.
Unfortunately, there isn't an easy answer for regaining access to encrypted files after the operating system is destroyed. While there are a few utilities available on the Internet that claim to be able to perform a brute force crack on encrypted files, I have never actually used any of these utilities and am therefore hesitant to recommend one.
I've picked up a few tricks over the years I'd like to share with you that will help prevent data loss. We'll start with how to recover Encrypting File System (EFS) keys.
Designate multiple recovery agents
A common key-related problem that results in data loss involves losing EFS keys. For example, suppose that an employee encrypted some files using EFS. Let's say this user later becomes disgruntled and reformats the hard disk containing Windows. In a situation like this, you could easily reinstall Windows, but the files would remain encrypted because the encryption keys were stored as a part of the original Windows installation. Although the encrypted files have not been deleted, data loss still occurs because it is no longer possible to decrypt the files.
The first thing you need to understand about EFS is that encrypted files do not necessarily have to be encrypted in such a way that they are only accessible to one user. EFS uses symmetrically encrypted data blocks, and the symmetric key is encrypted by one or more public/private key pairs. There is a separate public/private key pair for each user who has access to decrypt the files.
Designate multiple recover alerts
I have seen a lot of publications that indicate that the local administrator account is automatically designated to act as a recovery agent in Windows XP. However, this is only true in certain situations. If the system is not a part of a domain, then it will only have a built-in recovery agent if it was originally upgraded from Windows 2000 Professional.
In Windows 2000 Professional, the local administrator account always acts as a designated recovery agent. When Microsoft created Windows XP, it decided to remove this capability in order to prevent the administrator account from being used as a mechanism for cracking encrypted files. The rules change, though, if the workstation is a member of a Windows 2000 or a Windows Server 2003 domain. In such cases, the built-in domain administrator account (not just someone with domain admin rights) is designated as the recovery agent.
If a Windows XP machine is acting as a part of a workgroup and does not have a designated recovery agent, then you can and should take the time to designate a recovery agent on your own. This is as simple as designating additional users who have permission to decrypt the encrypted files.
Begin the process by encrypting the files in the usual manner. After doing so, right click on an encrypted folder and choose the Properties command from the resulting shortcut menu. When you do, Windows will display the folder's properties sheet. Now, click the Advanced button found on the properties sheet's General tab, and then click the Details button. You should now be presented with the opportunity to add users to the list of users who are allowed to decrypt the folder's contents.
When it comes to adding users, you can add any user who has a certificate cached in the local machine's "Other People" certificate store. You also have the option of adding Active Directory users, but any domain user that you add must have a valid EFS certificate in Active Directory.
Once you have given other users access to encrypted folders, the recovery process is usually simple. If a user who owns the encrypted files loses his certificate for whatever reason, other users who have been given access to the files can log in and decrypt them.
Although this sounds simple, it isn't always practical. For instance, if a hard drive failure destroys the Windows operating system, then the certificate cache may also be destroyed. In such a situation, file recovery becomes impossible without the aid of third-party tools unless you have external copies of the certificates. So, keeping an external copy of the recovery certificate Is probably a good idea. Reinstall Windows if necessary, and then import the certificate as a way of gaining access to the encrypted files.
How to create an external copy of a certificate
The process of creating an external copy of the certificate varies depending on whether the machine is acting as part of a domain. To export a certificate from a workstation that is acting as a member of a workgroup, follow these steps:
- Log on to the workstation using the recovery agent's account.
- Enter the MMC command at the Run prompt.
- Choose the Add/Remove Snap-in option from the console's File menu.
- Choose the Certificates option from the list of available snap-ins and click Add.
- When prompted, choose the My User Account option, and then click Finish.
- Click Close, followed by OK.
- Navigate through the console tree to Certificates | Current User | Personal | Certificates.
- Look for a certificate that has the Intended Purposes column set to File Recovery.
- Right click on the certificate and choose the All Tasks | Export commands from the resulting shortcut menus.
- When the Certificate Export Wizard starts, click Next.
- Choose the Yes, Export the Private Key option and click Next.
- Choose the Personal Information Exchange -- PKCS #12 (.PFX) option and choose the Enable Strong Protection option.
- Make sure that the option to delete the private key is not selected.
- Click Next.
- Provide a password and click Next.
- Specify a file name for the exported certificate and private key and click Next.
- Click Finish to complete the wizard.
The process is basically the same if you want to export a key from a domain account. The biggest difference is that you must log on locally to a domain controller, rather than logging onto a workstation.
In either case, I recommend exporting the certificate in the key to a form of removable media that can be closely safeguarded. This makes it easy to transport the certificate and the key to the machine you are performing the recovery on. I probably don't have to say this, but it is very important that you do not lose the disk or flash drive containing the certificate and the key.
If you ever need to recover an encrypted file using the certificate that you exported, follow these steps:
- Log onto the workstation as an administrator.
- Enter the GPEDIT.MSC command at the Run prompt.
- Navigate through the Group Policy Object Editor tree to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Public Key Policies.
- Right click on the Encrypting File System container and choose the Add Data Recovery Agent command from the shortcut menu.
- When the wizard starts, click Next, and then choose the Browse Folders option.
- Locate the file that you created earlier and click Open.
- Click Next, followed by Finish.
About the author: Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox.
This was first published in March 2008