Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

November 06, 2000 12:00 AM

Decrypting EFS

Mark Minasi
Windows IT Pro
InstantDoc ID #15907
Rating: (1)
Encrypting File System is more complex than it appears

You probably know that all flavors of Windows 2000 support Encrypting File System (EFS), which encrypts your files before the system stores them on disk. (Mark Russinovich discusses the workings of EFS in detail in Internals, "Inside Win2K NTFS, Part 2," page 45.) At first glance, I guessed that I simply needed to flip a switch in the GUI to tell Win2K to encrypt a file, then Win2K would encrypt the file as I saved it and decrypt the file whenever I accessed it. If an unauthorized user tried to access the file, the user would either get an Access denied message or see a lot of meaningless characters. "Simple," I thought.

But start using and managing EFS, and you see that the devil is in the details. And EFS has a lot of details.

Recovery
One detail concerns recovery. If I encrypt a file and then forget the password, how can I recover the file? EFS doesn't let you encrypt files unless you set up at least one account as an EFS recovery agent. By default, a workstation's or member server's recovery agent is the default Administrator account. By "default Administrator account," Microsoft means the Administrator account you created when you installed Win2K, not any other member of the local Administrators account. On a domain, the default recovery agent is the default Administrator for the computer that was the first domain controller installed for that domain—in other words, the first server that you ran Dcpromo for when you created the domain.

Recovery isn't tricky and doesn't require you to run a special program. To recover an encrypted file, all you need to do is log on as the recovery agent, then use either the GUI or the Cipher command

cipher /u/a <filename>

to decrypt the file. EFS doesn't recognize any difference between the user who originally encrypted a file and the recovery agent—if you encrypt a Microsoft Word file and the recovery agent tries to open it, the recovery agent will see your file. However, if you've denied the recovery agent access to your Word file, the recovery agent won't be able to open and decrypt the file for you. To remedy the situation, you'll need an administrator to take ownership of the file and grant read and write access to the recovery agent. Of course, if you leave the default Administrator account as the recovery agent, the default Administrator will have no trouble seizing a file permission should the need arise.

But let's think some more about the recovery agent account: Should you really use the default Administrator account for anything? Probably not. But changing which account can handle emergency decryptions is a bit tricky. EFS uses a simple symmetrical algorithm to encrypt and decrypt your files—that is, EFS uses the same password to encrypt your files that it uses to decrypt them. But EFS uses an asymmetrical, public key-type encryption method to encrypt that password before storing it. When you encrypt a file, EFS uses your public key to encrypt the password and stores the encrypted password in NTFS 5.0 (NTFS5—which, unlike NTFS, knows how to store encrypted file passwords). When EFS needs to decrypt the file, it asks NTFS5 for the encrypted password and uses your private key to decrypt the password. After EFS has the password, it can decrypt the file. (As you've probably guessed, encrypting files slows things down a trifle.) But how does EFS let someone else decrypt a file? By again exploiting NTFS5: In addition to storing the file's password encrypted with your public key, EFS will store the password encrypted with the public key of as many recovery agents as you like.

Changing the default recovery agent gets sticky because introducing EFS to a prospective recovery agent's public key/private key pair requires a hierarchy of Certificate Authorities (CAs) that your computer recognizes. Without a CA hierarchy, you can't have certificates, and without certificates, you can't (with one exception, which I explain later) introduce EFS to new recovery agents. So, you'll need to run at least one certificate server.

In an Active Directory (AD) environment, adding new recovery agents isn't too hard to accomplish, although doing so requires some work: AD doesn't install a certificate hierarchy by default. In a standalone server environment, you could install a certificate server to act as a one-server hierarchy and use that certificate server to issue certificates. But on a standalone Win2K Professional system, you'd need to first create a CA on a system running Win2K Server and have the Win2K Pro system accept the certificates from the server. Then, you'd need to create the certificates and export them to the Win2K Pro system, which sounds like an awful lot of work. So, practically speaking, standalone Win2K Pro systems might have no option but to leave the default Administrator as the sole recovery agent.

But at least one account—the default Administrator—obtains a certificate without needing to go through the CA exercise. Apparently, EFS generates a self-signing certificate for the default Administrator, but I haven't been able to make EFS build certificates for other accounts. (Giving EFS a way to build certificates for other accounts would be a nice, low-overhead way to add some flexibility to EFS administration.)

Who Encrypted That File?
Another detail arises when you want to determine who encrypted a file. The Windows Explorer user interface (UI) shows which files are encrypted but not who encrypted them. You'd be annoyed to discover that someone had encrypted files in a public network share, leading to an influx of calls from users who suddenly can't access those files. And yes, that can happen: Anyone who has read and write permissions on a file can encrypt it.

As an administrator, you could rectify the situation by decrypting the files. But wouldn't you like to know the identity of the dastard who caused the trouble? You can, by using the Microsoft Windows 2000 Resource Kit Efsinfo command-line utility or Sysinternals' free EFSDump utility, which you can download from http:// www.sysinternals.com/misc.htm. If you run Efsinfo with the /u option, as in

efsinfo /u somefile.doc

the utility will tell you who encrypted the file. The /r option reveals the names of the people who can recover it.

The scenario in which a troublemaker encrypts a file on a network file share gave me a hint about a potentially valuable aspect of EFS. If you're storing a file in your home directory and don't want prying eyes to easily browse the file, encrypt it for more protection. It isn't likely that every member of the Domain Admins group is a recovery agent.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • Eric
    7 years ago
    Feb 19, 2005

    I also am having an identical problem to some of the others. I have encrypted pictures and files on a secondary drive and due to a system error i re-installed server 2003 on the main drive...hence wiping out the user profile that created the encryption.
    How can i recover the files as i did not see any resolution comments in response to that.
    please help....I'd hate to lose those pictures.

  • Anonymous User
    8 years ago
    Dec 24, 2004

    I have a MAJOR PROBLEM...Its complicated to explain. But try to understand what happened.

    I tried to do a home network using Windows 2003 Server Enterprise (Active Directory), and connected my Windows XP Pro to it.

    Somehow some of my personal files kept on D:\\ got ENCRYPTED on my XP machine, which I dont remember doin it.

    Because I couldnt get Active Directory to do what I wanted (a friend managed to do it on his PC), I decided to scrap the Server installation, and put XP on the server as well.

    I tried to view the files on my 1st XP machine, and it wouldn't let me do anything with the files. I found out they got encrypted with EFS, and now I can't decrypt them.The Recovery Agent that was on the Server's HD has been formatted and put into another PC, which I have sold. So I no longer own that HD.

    So no I'm stuck here without any Recovery Agent, or any way of decrypting my files.

    I have tried EFSINFO and CIPHER, but it wont let me. Somehow, the files don't even recognise my several standard passwords. NOBODY else has used my PC's, I KNOW that.

    I have tried a number of software. One program finds the decrypted files, and asks me for a password (which I don't know anymore), but I can't find a Password Recovery software for EFS encrypted files.

    PLEASE can someone help me with this, or the whole problem I have. I don't even have a Recovery Agent or Certificates.

  • issay
    9 years ago
    Dec 21, 2003

    i have deleated the user profile of the encrypted user. I try to decrypt files, login as administrator. but no use. what shall i do. can i decrypt.

  • Sofoklis karapidakis
    9 years ago
    Dec 12, 2003

    I found the article very informative and interesting.
    I am in the following trouble. I have had some files decrypted in drive D. Since my operational system had some trouble, I decided to format my disk without however exporting the keys for encryption. As a result, I can not access important files (those encrypted). Do you have any suggestion?
    Thanks in advance

  • Jan
    9 years ago
    May 04, 2003

    Could anyone tell me how can in decrypt a file which is encrypted by a user. I know that only the user can open it and there is a recovery agent who can do it. I added the recovery agent but still when I open the file I find the
    access denied message. Can some tell me the complete process of decryping the file. I will be greatful

    thanks.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.