Can't seem to be able to create a working EFS Recovery agent
Hello,
I'm trying to test EFS and can't seem to get it right, here are the steps I have tried.
1. Create a user EFSRecovery in AD and give him the right to enroll the EFS Recovery Certificate (I had installed a CA earlier)
2. Logged on as user EFSRecovery and requested a EFS Recovery Certificate
3. Created a Group Policy and tried to add the EFSRecovery user to Public Key Policy Encrypted File System, this failed with the message that the user has not the correct certificate, looked up on the internet and found that almost everyone was having this
problem so I tried another take.
4. Logged on as user EFSRecovery and exported it EFS Recovery Certificate to a file.
5. In the Group policy I created in 3, added the *.cer file tot the Public Key Policy Encrypted File System, this was successfull.
6. Linked the group policy with a OU that contains the test computer on which I want to try EFS recovery on (tried it also with a link to the domain)
7. Logged on the test computer as admin and run GPUPDATE /force to ensure the policy is applied, used Group Policy Result in the Group Policy Management console to ensure that the policy was applied and the certificate was mentioned in the Public Key Policies?Encrypted
File System, this was indeed the case.
8. Created a user TestEfs, logged on the test computer, created a directory containing a test file and encrypted directory and test file.
9. Logged on the test computer as EfsRecovery and tried to access the test file, this failed, tried to change the encryption bit this failed. However when I looked up the advanced encryption property screen I saw that the certificate of the EfsRecovery agent
is listed as a Recovery Certificate.
Does anyone knows how you must create a EFS Recovery agent that works
I looked up different procedures on the internet but none seems to work at all.
PS. My DC is a win2008R2 and the test computer is a WIN2008
Thanks a lot in advance
Marc Mertens
June 8th, 2010 11:49am
On Tue, 8 Jun 2010 08:49:22 +0000, HappyLisper wrote:
9. Logged on the test computer as EfsRecovery and tried to access the test file, this failed, tried to change the encryption bit this failed. However when I looked up the advanced encryption property screen I saw that the certificate of the EfsRecovery
agent is listed as a Recovery Certificate. Does anyone knows how you must create a EFS Recovery agent that works I looked up different procedures on the internet but none seems to work at all.
In step 9, did you have the EFS Recovery Agent certificate and private key
in the local store of the EfsRecovery user? If not, that's your problem.
-- Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2010 11:53am
Hello Paul,
that was indeed not the case. So i exported the certificate (inclusive private key) to a file. Logged on as EFSRecovery on the test computer and imported the file in the personal store of EFSRecovery and everything worked. I was kind of hoping
that if the certificate wast stored with the AD user object that I could use the recovery agent directly on every computer in the domain to do the recovery. Seems a lot of work for me but at least I'm convinced that recovery is possible.
Thanks for your help
Marc
June 9th, 2010 12:04pm
On Wed, 9 Jun 2010 09:04:09 +0000, HappyLisper wrote:
?? that was indeed not the case. So i exported the certificate (inclusive private key) to a file. Logged on as EFSRecovery on the test computer and imported the file in the personal store of EFSRecovery and everything worked. I was kind of hoping
that if the certificate wast stored with the AD user object that I could use the recovery agent directly on every computer in the domain to do the recovery. Seems a lot of work for me but at least I'm convinced that recovery is possible.
EFS recovery should not necessarily be an easy operation given the level of
access it involves. One way to make it easier and even more secure is to
store the recovery agent on a smart card.
In addition you may want to consider using EFS recovery as an operation of
last resort. By and large, you should be able to use key archival and
recovery to recover user's private keys if necessary.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Paul Adare CTO IdentIT Inc. ILM MVP
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2010 12:13pm