Unable to encrypt files using EFS

A

AvsFan

I am attempting to encrypt files on a Windows 7 OS using EFS.
Receiving an error that states "The File Recovery certificate being outdated or expired is the most frequent cause of this invalid recovery certificate message".

I have located this to an expired certificate under RSoP, belonging to an account called sysadmin. The problem is that this laptop was a computer that I was given when I left my previous job. I'm presuming that account belong to the tech support team. It no longer exists under user accounts.
I've logged on with the Administrator account and recreated a certificate and generated the DRA, but still receive the same error. The certificate for sysadmin under RSoP still remains.
 
You're up a creek without a paddle man. EFS is non-trivial and you need the original Recovery Agent to access it.

Consider this scenario:
  1. disk is EFS
  2. user X has a password
  3. user X account is deleted, but the data is kept
  4. we discover, oops, we need something
  5. recreate user X and even reuse the same original password
ACCESS DENIED results.
The encryption key is created such that it is unique to
  • the HD
  • the partition
  • the user
  • his/her password
  • time of day the password is created
The ONLY choice is to have created the Recovery Agent while the account was still active.
 
jobeard said:
You're up a creek without a paddle man. EFS is non-trivial and you need the original Recovery Agent to access it.

Consider this scenario:
  1. disk is EFS
  2. user X has a password
  3. user X account is deleted, but the data is kept
  4. we discover, oops, we need something
  5. recreate user X and even reuse the same original password
ACCESS DENIED results.
The encryption key is created such that it is unique to
  • the HD
  • the partition
  • the user
  • his/her password
  • time of day the password is created
The ONLY choice is to have created the Recovery Agent while the account was still active.
Click to expand...

"...you need the original Recovery Agent to access it"
Access what ?
 
?? Just what was the topic of discussion ?? The Recovery Agent needed to be created while the EFS was accessible by the original user. *IF* you can get the RA, then you will be able to get access to the EFS data - - without, you're dead. As neither you nor your S.A. knew this, it's also clear to me that the RA was never created.

Sorry for your loss.
 
The topic of discussion was how to encrypt some files.
I'm not attempting to get access to EFS data. There is no currently encrypted data. As clearly stated in the OP, I'm attempting to encrypt files currently on the computer not decrypt any current files.
 
Last edited:
I've never liked whole disk encryption if only because relatively only very small percentage of the data NEEDS privacy and security and then the complexity, risk to backup/restore and excessive HD access are all atrocious imo.

Personally, I've opted for a PGP product that allows encryption on a file-by-file basis:
see FileAssurity OpenPGP
 
You must log in or register to reply here.

Similar threads

N
Little-known iPhone setting allows thieves to take over your Apple account
Replies
7
Views
656
Hodor
Hodor
N
An error occurred applying attributes to the file. Access is denied?
Replies
2
Views
4K
DelJo63
D
Ivan Franco
ProtonMail review: Is secure email really secure?
Replies
9
Views
5K
Dr Aggressive
D

Latest posts

Back