13

I have some EFS-encrypted files in Windows. The owning user account is protected by a password, which can be easily bypassed (i.e. reset) by many tools and methods.

So what will happen to these encrypted files if that happens? Will they be accessible to the attacker? Or will they still be protected and require the encryption key to access them?

Improve this question
1
  • 2
    I've edited your question to make it a little bit clearer that you're using EFS. If that's not right, you can roll back the edit. Nice question!
    – Ben N
    Commented Jan 31, 2016 at 21:51

2 Answers 2

Reset to default
10

The existing answer is correct in that the EFS private key is protected by the user's password. However, it is possible to configure EFS Data Recovery Agents that can decrypt any EFS-encrypted file on a system. DRA certificates are set via Group Policy, or Local Security Policy if you don't have a domain.

DRAs have such access because when a system receives the public key of the DRAs, it encrypts the symmetric key of each encrypted file with each DRA's public key in addition to the user's public key. Thus, DRAs can only recover encrypted files if they were created or opened after their certificate was registered.

So, depending on your configuration, it could be possible to recover the data even after resetting the owner's password. DRA keys are also protected by the DRA's password, but a crafty attacker would install a DRA certificate for a new user, wait for you to touch the target files, then take advantage of the certificate to decrypt them.

Note that this recovery option does not apply to DPAPI-protected data, as the DPAPI does not respect EFS DRAs. You're in for some pain if you need to recover such data.

Improve this answer
9

The user's EFS private key, as well as various other private data kept by Windows, is encrypted using the user's password. If the password is changed, it is impossible to decrypt the private keys, and without that, it is impossible to access the encrypted files.

Improve this answer
4
  • 1
    I'm not sure I fully understand this, do you mean that once the password is reset by third party software, the encrypted data is gone forever?
    – ICTAddict
    Commented Jun 11, 2014 at 8:48
  • 2
    That is correct. The EFS private key is encrypted via the "Data protection API", CryptProtectData and CryptUnprotectData. Exactly how this API works is well-explained at MSDN; what I can fit in a comment here is this: the password supplied at login is part of the input to the key generation. If you change your pw, then all secrets you previously encrypted with this API are re-keyed with the new password. But if third party software (or the admin for that matter) changes your pw, this can't be done, and you lose access to previously-encrypted secrets. See also "EFS recovery agent".
    – Jamie Hanrahan
    Commented Jul 22, 2014 at 17:30
  • 3
    @JamieHanrahan - This might warrant a separate question but it is only a slight expansion to the original question above: If after the password was reset by 3rd party tools as above, the original password was found (remembered), would logging in (using the "reset" password) and changing the password back to the original password allow access to the EFS-encrypted files?
    – Kevin Fegan
    Commented Feb 2, 2016 at 14:34
  • @JamieHanrahan Naive question: if the encryption key is derived from your old password, why couldn't you recover it if you can recall your old password?
    – JamesTheAwesomeDude
    Commented Jun 8, 2022 at 18:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .