Recover encrypted folder from WHS full image backup?
My Lenovo X200 laptop was stolen recently. I was running Win7 Pro and had encrypted one folder with all of my sensitive files. The entire drive was backed up (imaged) to Windows Home Server. I have been able to restore the full drive onto a new computer but I cannot access the encrypted folder. Since I have the drive image, I am wondering what I need to do to create or retrieve the encryption key or remove encryption from that folder. I have tried restoring the full volume onto an internal drive and booting the new Lenovo X220 laptop from that drive, but Windows will not boot and returns a "device is inaccessible" message--not surprising given that much of the hardware is updated. I have looked for the encryption key from the WHS backup by searching for *.pfx files and have not found any. Honestly, I am not sure if I ever created a backup key knowing that I was backing up an image of the entire drive. I believe the key is stored in the registry unless a backup is made so it's not as simple as searching for the correct key file. I have all of the passwords for the user who encrypted the folder, administrator, etc. so that shouldn't be an issue. The options that I can think of are: 1) find a way to boot from the restored drive image by manually replacing drivers, and then log in and remove the encryption flag from the folder. I don't know how to do this however, since Windows is in a vicious loop of asking to restore the disk which will wipe the drive. 2) copy the disk image to a virtual machine, and try booting from the VM. I am not sure if I will be able to boot into Windows (it could be an OEM license issue), and even if I can, I am not sure if I will be allowed to remove the encryption flag or create a backup encryption key while running as a virtual machine. 3) find a used X200 laptop so that I can boot from the restored drive image. This seems risky since there could still be some device inconsistencies that could cause Windows not to boot, and I am not sure if there are any hardware security dependencies that are tied to the file encryption key (this could be a problem with #1 as well). I can't imagine that this situation hasn't come up before, but I can't find any direct advice even after a pretty thorough search. I just can't believe that if I have a full image backup of the files and the user/password info that I cannot retrieve these files. Any advice on these options or suggestions for others? Thanks in advance for any help you can provide.
September 23rd, 2012 5:06pm

Hi, Do you encrypt the folder by the Encrypting File System? If you do not back up your certificates and the data has been encrypted with a corrupted or missing certificate, I am afraid there is no way to recover it. File encryption uses a symmetric key, which is then itself encrypted with the public key of a public key encryption pair. The related private key must be available in order for the file to be decrypted. This key pair is bound to a user identity and made available to the user who has possession of the user ID and password. If the private key is damaged or missing, even the user that encrypted the file cannot decrypt it. If a recovery agent exists, then the file may be recoverable. If key archival has been implemented, then the key may be recovered, and the file decrypted. If not, the file may be lost. EFS is an excellent file encryption systemthere is no "back door." For your information: What EFS Is Best practices for the Encrypting File SystemTracy Cai TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2012 8:29am

Thanks for your reply, Tracy. I am very happy to say that after a lot of work, I was able to remove the EFS encryption from this folder even though I had not previously saved the encryption keys. The critical thing is that I did have a backup of the drive as I mentioned above. The way I ended up doing this was by creating a virtual machine as suggested in #2 above, after trying and failing to load the backup drive onto my new machine. Here is a brief summary of the steps I used: I used Windows Home Server to restore the volume to an external drive, created an image of that drive, and used VirtualBox to load the image as a virtual machine. While I had never used Virtual Box or any other virtual machine before, it was relatively straightforward once I figured out how to provide it with the right image file, and then repaired the Windows installation so it would boot. Once it finally booted (after 2-3 successive repair operations using the Windows 7 repair disk), I was then able to log in to my Windows account on the virtual machine. From there, I could use Certificate Manager (certmgr.msc from the Windows Start button's search box) to find my original certificate as described here: http://windows.microsoft.com/is-IS/windows-vista/Back-up-Encrypting-File-System-EFS-certificate, and then I copied the backup of the certificate to the desktop on the host machine, and from there I could use it to recover the encrypted folder on the new machine as described here: http://windows.microsoft.com/is-IS/windows-vista/Recover-encrypted-files-or-folders. All I needed to have was the login name and password for the correct Windows account that originally encrypted the files--it didn't matter that it was running on a totally different (virtual!) machine. A happy end to a very long saga of trying to restore this folder. mac27
September 30th, 2012 9:06am

Thanks for your reply, Tracy. I am very happy to say that after a lot of work, I was able to remove the EFS encryption from this folder even though I had not previously saved the encryption keys. The critical thing is that I did have a backup of the drive as I mentioned above. The way I ended up doing this was by creating a virtual machine as suggested in #2 above, after trying and failing to load the backup drive onto my new machine. Here is a brief summary of the steps I used: I used Windows Home Server to restore the volume to an external drive, created an image of that drive, and used VirtualBox to load the image as a virtual machine. While I had never used Virtual Box or any other virtual machine before, it was relatively straightforward once I figured out how to provide it with the right image file, and then repaired the Windows installation so it would boot. Once it finally booted (after 2-3 successive repair operations using the Windows 7 repair disk), I was then able to log in to my Windows account on the virtual machine. From there, I could use Certificate Manager (certmgr.msc from the Windows Start button's search box) to find my original certificate as described here: http://windows.microsoft.com/is-IS/windows-vista/Back-up-Encrypting-File-System-EFS-certificate, and then I copied the backup of the certificate to the desktop on the host machine, and from there I could use it to recover the encrypted folder on the new machine as described here: http://windows.microsoft.com/is-IS/windows-vista/Recover-encrypted-files-or-folders. All I needed to have was the login name and password for the correct Windows account that originally encrypted the files--it didn't matter that it was running on a totally different (virtual!) machine. A happy end to a very long saga of trying to restore this folder. mac27
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2012 9:09am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics