EFS, cipher /u and directory thumprints

Hi-
VERY curious - I am retiring an EFS certificate and have executed a "cipher /u" to update all current encrypted files/folders with the new certificate.
All the FILES updates nicely - but the folders still show they are encrypted with the old certificate's thumprint according to EFSINFO!

AM Looking for someone to explain why this is and the relevance / ramifications.

Thanks-
SAbboushiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TolomirAdministratorCommented:
Have you deactivated efs for such a folder once and checked with that tool?

I would decrypt all folders before encrypting with a new certificate, or is this a security issue?

Tolomir
Rich RumbleSecurity SamuraiCommented:
What OS are you using, also is the PC in an active directory setup?

If using XP pro or winME...
Scroll up a paragraph or two in this link: (to EFS and System Restore)
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EFAA

It's possible that system restore is replacing the files.

From M$ http://www.microsoft.com/nz/smallbusiness/issues/sgc/articles/protect_data_efs.mspx#ECAA
In Windows XP, the command-line utility cipher.exe has been updated with a /U parameter to update the file encryption key or recovery agent keys on all files on local drives. The following example updates two encrypted files on the local drive where Cipher.exe is run.

"Efsinfo.exe /C" option is displaying the KEY, and "cipher.exe /U" updates the CERT- they are vastly different.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/certificates_and_public_keys.asp


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6369a0d0-e5c5-44f9-85e6-366582e7d974.mspx
-rich
SAbboushiAuthor Commented:
Hi Tolomir
>> Have you deactivated efs for such a folder once and checked with that tool?
Are you asking if I have decrypted the folder before checking with the tool?  If so, no (I believe after decrypting the folder, there won't be any encryption thumbprint for the tool to report)

Thanks for the suggestion - I would like to understand what is happening though (Also, it would take HOURS to decrypt my data - and then more hours to reencrypt...)

richrumble: XP Pro, no active directory.  Also, System Restore is disabled.

Let me try to clarify: I used cipher /u to update the cert.  I then used efsinfo to verify that the files were all using the new updated certs.  I found that the OLD cert was associated with my folders, but that all the files had been updated with the NEW cert.

I am trying to understand why the folders still show the OLD cert thumbrint.
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

TolomirAdministratorCommented:
Ok playing a bit with it:

have you tried this:

cipher /e /s:drive_letter:\your_folder

This will encrypt all folders below "your_folder"

e.g. cipher /e /s:c:\temp\test



SAbboushiAuthor Commented:
Here's a response from a microsoft employee on another board.  I am satisfied with Pat's response:

"Pat Hoffer [MSFT]" wrote:

> The EFS metadata on the folder is totally irrelevant and never used.  You can
> ignore it.  Any new files that you create in the folder will be encrypted
> with the new certificate.

> Thanks.
> Pat
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
SAbboushiAuthor Commented:
I hope that the question and responses will remain in the database since the answer I found elsewhere (and provided herein) may be helpful to someone else.
war1Commented:
SAbboushi, that is what PAQ mean, so your answer will stay.
DarthModCommented:
PAQed with points (500) refunded

DarthMod
Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.