News Stay informed about the latest enterprise technology news and product updates.

Help! I've encrypted my data and I can't get it back

Waved goodbye to any encrypted data lately? Do you want to get it back? Security Expert Roberta Bragg shares her secrets for doing just that.

Security Expert
Roberta Bragg
Windows .NET Server
to the rescue
Key-archival services in Windows .NET Server offer a better method for EFS management and data loss prevention.
Click here for details.
'Hi. I read your article on EFS, and I'm wondering if you can help me. I have encrypted my business records and now can't access them. I make regular data backups and so last week when my hard drive failed, I was not alarmed. I got a new hard drive, installed Windows 2000 Professional and restored my data from backup. But I can't open my encrypted files. What should I do?'

I get a letter like this at least once a week. Unfortunately, unless you have backed up the encryption keys, you will lose access to the data should the keys become lost or corrupt. Since the keys are stored in the user's profile, if the disk crashes, and no backup of the keys or profile exists, and if your machine is standalone, you most assuredly are out of luck.

Let's take a minute to see why. When a file is encrypted in a standalone Windows 2000 or XP Professional environment, multiple encryption keys are involved. First, a randomly generated File Encryption Key (FEK) is used to encrypt the file. Next, the user's public key, one of a paired set of personal encryption keys, is used to encrypt the FEK. The encrypted FEK is kept in the Data Decryption Field (DDF) with the encrypted file. When the user wants to view the file, his private key (the key that is paired with the public key) is used to decrypt the FEK, which is then used to decrypt the file.

Every time a file is encrypted, a random File Encryption Key (FEK)
is used. The user's public key is then used to encrypt this key.

To decrypt the file, the user's private key is used to decrypt the FEK.
Then the FEK can be used to decrypt the file.

Because the public and private keys are a paired set, when the user's public key is used to encrypt a FEK, only the user's private key can be used to decrypt it. The key pair is stored in the user's profile. So what happens when a drive crashes and is then replaced, or is reformatted, or when Windows is reinstalled, or the profile becomes corrupt? That's right, the user's key pair is irretrievably gone (unless of course, the user has backed it up) -- and so is his access to the encrypted files.

A place called hope
There is an exception to this bleak report. If the computer is a standalone Windows 2000 computer, the local Administrator account is designated as the data recovery agent. This account also has a key pair, and during file encryption, the Administrator's public key is also used to encrypt the FEK. This encrypted copy of the FEK, like the one made with the user's public key, is stored with the file but in its own field, the Data Recovery Field (DRF).

On a Windows 2000 standalone computer, the local Administrator is
the data recovery agent. Each encrypted file's FEK is encrypted by
the Administrator's public key.

This means, of course, that anyone possessing the Administrator account password can also decrypt and read the file. Since this is so, the Administrator could recover the encrypted file should the user's keys be destroyed. Unfortunately, because the Administrator keys are also in his profile and located on the hard drive, if the drive is destroyed or reformatted, or if Windows is reinstalled, these keys will also be lost. You should also be forewarned: Windows XP Professional does not make the local Administrator account the data recovery agent! If the user's keys are corrupt or lost, there is no saving grace.

The answer to this dilemma of missing keys, is to join the computer to a Windows 2000 domain and, ideally, back the keys up. If the computer is joined to a Windows 2000 domain, the Domain Administrator account becomes the data recovery agent. But I would not rely on this one account to be your savior. To be sure that encrypted files will not become black holes into which data enters but cannot be retrieved, you must archive or back up each user's keys and store them separately from the user's computer. Of course, you must also ensure the keys' safety. After all, they could be used to decrypt sensitive data files. So if you have thousands of desktop computers, that means thousands of encryption keys to archive, store and maintain. This is not a trivial task. In fact, in most environments, it is not done, and sometimes it is not even doable.

To find out more about preventing data loss with current Windows technologies and the new key-archival system shipping with Windows .NET Server, tune in to Roberta's live expert webcast.

About the author:
Roberta Bragg, MCSE, CISSP, MCT, MCP, is a well-known Windows security consultant, columnist and speaker. Her publishing credits include "ISA Training Guide," "MCSE Windows 2000 Network Security Design" and "Windows 2000 Security."

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.