Dear all,

I have a Windows 2012 R2 server (serverC) joined to a domain (domainA).

Since I would like to secure my data, I have created a domain user (userB) who can encrypt a folder with files inside, and encrypt the folder using EFS.

As I don't want the domain administrators to access my files, I have not created recovery agent at the domain policy.

Also, I don't want to store any encryption key on the server (except the cert. in userA), therefore no recovery agent created on the server, too.

To check whether the folder is encrypted, I run "cipher /c C:\xxxfolder\yyy.txt" to check the encryption details and the result is:

...

User who can decrypt:

domainA\userB

Certificate thumbprint: 1234 5678 0ABC...

No recovery certificate found.

Key Information:

Algorithm: AES

Key length:256

Key Entropy:256

After I backup and restore the folder at another server (serverD, C:\Restore) in the same domain, I login as userB and copy userB's cert. to the server and import it to his own Personal and Trusted People store (with private key included), and run "cipher /c C:\Restore\xxxFolder\yyy.txt", the result is a bit different:

...

User who can decrypt:

domainA\userB

Certificate thumbprint: 1234 5678 0ABC...

No recovery certificate found.

Key information cannot be retrieved. (new)

The specified file could not be decrypted. (new)

When I double-click the file, "Access is denied." is shown.

How can I solve the problem? Thanks a lot!

Stephen

• Edited by Stephen klyip 5 hours 27 minutes ago

There is a lot of information around, but I will try to explain it in simple terms from my head (sorry, I won't provide links).

Anyway, here is how it is supposed to work.

You must create a user who will be designated as a Data Recovery Agent (DRA).

Do the following on a domain joined workstation - could be a VM.

Encrypt a file using this account so that EFS certificate is created for the DRA.

Export the certificate and export private key. Delete private key during the export. 

Save the exported certificate into the safe. Delete exported certificate from the workstation. Optionally, if it was a VM, delete a VM too.

This leaves you with account for DRA that only has the public key, but not the private key. This user can encrypt EFS files, but cannot read them. This is your DRA account. You don't use it for anything else but as a DRA.

So, configure Data recovery policy, using your prepared account as DRA.

That's all.

When you need to recover files, get a new (clean) domain joined workstation - could be a VM.

Get certificate from the safe.

Create a new user JohnDoe.

Import a certificate from the safe to JohnDoe.

Now JonhnDoe has both private and public key and can read EFS encrypted data.

Decrypt the data as you like.

When you are finished, destroy JohnDoe and workstation (VM).

HTH

Dear HTH,

I have just solved my problem. (I don't want to use DRA as I said we want more secure and don't want the domain administrators to access my files, I have not created recovery agent at the domain policy.)

I have tried that DRA is NOT A MUST. If it is not used, the encryption key is the only key which can decrypted the file.

I have tried to import the key at another PC to restore, but it failed as described in my initial post.

I have found that it was because I should set the local (or group) policy of the restoring server Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer

to

"User input is not required when new keys are stored and used "

(I think by default it should be "User must enter a password each time they use a key")

and uncheck "Enable strong private key protection..." during importing the key.

Thanks for your help anyway.

Regards,

Stephen