TechSpot

Unable to encrypt files using EFS

By AvsFan
Nov 28, 2014
Post New Reply
  1. I am attempting to encrypt files on a Windows 7 OS using EFS.
    Receiving an error that states "The File Recovery certificate being outdated or expired is the most frequent cause of this invalid recovery certificate message".

    I have located this to an expired certificate under RSoP, belonging to an account called sysadmin. The problem is that this laptop was a computer that I was given when I left my previous job. I'm presuming that account belong to the tech support team. It no longer exists under user accounts.
    I've logged on with the Administrator account and recreated a certificate and generated the DRA, but still receive the same error. The certificate for sysadmin under RSoP still remains.
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,322   +619

    You're up a creek without a paddle man. EFS is non-trivial and you need the original Recovery Agent to access it.

    Consider this scenario:
    1. disk is EFS
    2. user X has a password
    3. user X account is deleted, but the data is kept
    4. we discover, oops, we need something
    5. recreate user X and even reuse the same original password
    ACCESS DENIED results.
    The encryption key is created such that it is unique to
    • the HD
    • the partition
    • the user
    • his/her password
    • time of day the password is created
    The ONLY choice is to have created the Recovery Agent while the account was still active.
     
  3. AvsFan

    AvsFan TS Rookie Topic Starter

    "...you need the original Recovery Agent to access it"
    Access what ?
     
  4. jobeard

    jobeard TS Ambassador Posts: 9,322   +619

    ?? Just what was the topic of discussion ?? The Recovery Agent needed to be created while the EFS was accessible by the original user. *IF* you can get the RA, then you will be able to get access to the EFS data - - without, you're dead. As neither you nor your S.A. knew this, it's also clear to me that the RA was never created.

    Sorry for your loss.
     
  5. AvsFan

    AvsFan TS Rookie Topic Starter

    The topic of discussion was how to encrypt some files.
    I'm not attempting to get access to EFS data. There is no currently encrypted data. As clearly stated in the OP, I'm attempting to encrypt files currently on the computer not decrypt any current files.
     
  6. jobeard

    jobeard TS Ambassador Posts: 9,322   +619

    APOLOGIES!! Not enough coffee.
     
  7. AvsFan

    AvsFan TS Rookie Topic Starter

    No problem. Thanks for the input anyway.
     
  8. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    Last edited: Dec 13, 2014
  9. jobeard

    jobeard TS Ambassador Posts: 9,322   +619

    I've never liked whole disk encryption if only because relatively only very small percentage of the data NEEDS privacy and security and then the complexity, risk to backup/restore and excessive HD access are all atrocious imo.

    Personally, I've opted for a PGP product that allows encryption on a file-by-file basis:
    see FileAssurity OpenPGP
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...