1

I'm on a Windows Vista computer. I've wanted to use EFS for a little while but I wanted to experiment on some individual files first. While doing that, I backed up my certificate and key, reset my password, and imported the old key. Everything was fine and I could access the files that I experimented on.

After I was convinced that it was safe, I decided to encrypt most of my files. I imported the old key and the certificate that I had backed up before resetting the password. When I was done, I reset my password again and imported the old key again, but this time I couldn't access any files. I've imported it several times but I continue to get "Access Denied" for any encrypted file.

So what happened? Did Windows use some other certificate to encrypt these files for some reason? Is there any other reason that this would happen? In other words, is there any hope to recover these, or has the key just been lost?

Improve this question

1 Answer 1

Reset to default
0

Every time your password is reset, Windows generates a new EFS key for you and encrypts it with the new password. Let me walk you through what happened:

  1. You encrypted the first batch, with certificate A protected by your password 1
  2. You exported A to a file
  3. You reset your password to password 2
  4. You were unable to access files encrypted with A because you were no longer able to unlock the private key for it (because your password had changed)
  5. You imported the private key of A from the backup
  6. You could read the files encrypted with A because you had the key with which they were encrypted
  7. You encrypted the second batch with a new certificate B protected with your then-current password 2
  8. You reset your password to password 3
  9. You were unable to access files encrypted with B because you were no longer able to unlock the private key for it (you had password 3, not 2)
  10. You re-imported certificate A and secured it with password 3
  11. That didn't help at all because the files are still encrypted with the key from certificate B, which you didn't back up

In the Certificates Manager's Trusted People section, you'll see a list of all the EFS keys you control and the public key of each user on the machine. The one (and only one) with your name that does not have a key on the icon is your EFS public key. It is created and encrypted with your password when you log on and is the only key used when you encrypt a new file. If you want to make it possible to decrypt a file with a different certificate, you can use the cipher command-line utility's /adduser and /certhash options (but it's too late for that now).

You are in a bad situation, sorry. One thing to try would be to reset your password to the second one, the one it was when you encrypted all the things. (Windows can keep multiple certificates for each user.) It's also conceivable that the unencrypted data is still on disk somewhere; you could try to use normal data recovery methods to get them back.

Improve this answer
3
  • The EFS keys aren't derived from the password in any way – they're randomly-generated RSA keypairs (no different from any other SSL/X.509 certificate). They're themselves encrypted with a password-derived key though.
    – grawity_u1686
    Commented Mar 3, 2016 at 7:49
  • Thanks for that explanation. I knew it must have used a different key to encrypt them the third time but I wasn't sure why. I changed my password and imported the key again like you suggested but it didn't work. It's not a huge deal in any case because I have everything backed up, I just didn't want to go through the process of deleting and restoring the files.
    – John
    Commented Mar 3, 2016 at 12:06
  • @grawity Thanks for the fact-check. I've updated my answer.
    – Ben N
    Commented Mar 3, 2016 at 14:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .