Exporting Certificates, Encrypted File System Recovery - Win2k/XP

I recently installed a CA and began using EFS to encrypt data on a network file share.  It looks to me, from poking around on the CA, that it house all copies of certificates that it issue to ad users.  However, Windows documentation of EFS seems to indicate that I need to back up all the certificates on the workstations.  Is this necessary or is everthing for recovery already on the CA?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A certificate is only one part of the security! The user or computer (depending on the type of certificate issued) keeps a private key that corresponds to the certificate. The private key is never transmitted over the network and the server does NOT have a copy of the private key unless private key archival is configured.


The private key is stored in the user profile by default, but it can be put on a smartcard. If the private key is lost then potentially the data encrypted with that key becomes *permanently inaccessible* unless you configure the EFS recovery agent or private key archival. The certificate on the server side is only used to verify the private key and whether the key has been issued by a trusted Certification Authority. Basically a certificate is an RSA public key signed by the private key of a CA.

If you don't get all this, then you should read up on encryption technologies (especially RSA), the role of a CA in a certificate chain, EFS recovery agents, etc. etc. before relying heavily on EFS for data security. Know how to and practice recovering encrypted data, or it will bite you.

A PKI requires proper planning, a backup and recovery strategy, some amount of user training, physical security and good network security/encryption to be of any use. Yes, all of those. Don't poke around a CA in a production environment. Please.

Here's some good articles:

Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure

Public Key Infrastructure for Windows Server 2003
jfexchangeAuthor Commented:
Thx Rant- I have a very basic understanding of efs and pki technologies.  I was trying to determine the Windows implementation of the process of how the private key was derived in the process of encrypting a file and the best way to back it up accordingly.

It seems like the private is created by the local workstation or in the user profile in the process of requesting a certificate from a CA, even in the case when the user is encrypting data on a server share? (as is the case in my setup) Windows documentation of the process seems to indicate that the network traffic is not encrypted (w/o IPSEC).  So if the data is stored on the an encrypted server share I am guessing when the user opens up a file on an encrypted share it is decrypted on the server and then sent over the network unencrypted for use on the workstation and then only re-encrypted back on the server after the file is closed?  

In this setup I was trying to understand why the private key is held in the user profile on the workstation as it seemed to me like all the encryption would all be done on the server? I was trying to understand why the private key would be in the user profile, it seems like it is not used in the actual encryption algorithm itself but rather in part of the process to verify the owner of the certificate.

I have been looking through the recommend recovery strategies, and MS seems to indicate that these can be assigned at the OU level.  I was trying to learn how this would affect the contents of the OU?  Would the Agent on the OU have the private keys for everything in that OU and where would these then be stored?  Also, based on the rudimentary tests I have done, it seems like only the Recovery agents are the only ones able to open file encrypted by someone else and ACL rights do not allow an indvidiaul to open a file?

Sorry if this is a bit scattered, but the technology is very new to me so I am just trying to get a grasp on it.  Any answers to these questions would be much appreciated.

<< It seems like the private is created by the local workstation or in the user profile in the process of requesting a certificate from a CA, even in the case when the user is encrypting data on a server share? >>

Yes, correct. The local Crypto-service Provider (CSP) generates a private/public key pair, and the public key is sent to the CA for digital signing. That signed public key (the certificate) is stored in the CA and is also returned to the client. The simplified version is that the encryption is performed using the public key of the client and can only be decrypted by the client holding the correct private key. The encryption is not directly performed with RSA because it's far too slow, but the DESX encryption keys are exchanged with RSA.

<< So if the data is stored on the an encrypted server share I am guessing when the user opens up a file on an encrypted share it is decrypted on the server and then sent over the network unencrypted for use on the workstation >>

Also correct. If you want to be completely secure, network traffic must be encrypted.

As far as I know, the recovery agent doesn't get a copy of all private keys, but the recovery agent's account has its own private key which is added to the possible list of users who can decrypt the data. This is unrelated to the access control list on NTFS objects.

It's been a while for me since I looked at it and I'm doing all this off the top of my head (as usual, bad habit). If you want to I'd like to play around on a test lab, but after the Easter holidays. Can't think straight right now ;-)
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

jfexchangeAuthor Commented:
Thanks for answering my questions, I will be testing this out a bit this week so if you have any time on your own to look at it again that would be great!  Just a few followup questions to your response.

-You said I was right to assume that data would be decrypted on the server first.   How would this be possible without the private key from the workstation?  You had said a DESX algorithm is used but I am not sure if you were also saying that the same key pair as the one in the certificate are being used.

-Secondly, how would ipsec be implemented in this equation?  I haven't seen any documentation on it.  Is it just a matter of enabling ssl on the certificate website in IIS?

-If the recovery agent has its own private keys which can be used to recover data.  Where are these keys stored?  I see there is an RSA folder on workstastion for the certificate holder;  But wouldn't the recovery agent keys be somewhere on the CA or in Active Directory?  If this is the case, wouldn't it be enough to just back up the recovery agent keys off the server instead of having to backup each workstation key?  As a follow up to this question, I have seen Microsoft says it is a good poliocy to back up all the keys off the workstation and once that is done, to remove the keys entirely from the workstation afterwards.   My question is, if the private key is removed from the workstation, as Microsoft suggests, how the would the end user get their data without re importing the key?

Thanks again!

jfexchangeAuthor Commented:
Ok I figured out the answer to some of these, but still a few questions remain.  

You have to request a recovery agent cert to be able to add the agent in the GPO Computer settings part of the policy.  
It looks like IPSEC will require a configuration change on the nic cards on the workstations in addtion to gpo policy changes.

It also looks like all EFS 'security is based at the file level, so to grant access to an additional user to an encrypted file; you have to make them a recovery agent on the file itself.
I am having difficulty adjusting the scope of the recovery agents beyond individual files.  I would like to assign larger amounts of users as recovery agents to a specific sets of files.  I have assigned recovery agents at the Default Domain Policy level and they will show up by default on all files and I am able to decrypt them.  However when I have assigned  recovery agent rights at the OU level they are not able to decrypt files.  

I have looked at the User Enterprise Trust user setting for that to tie the agent into the user it the specific OU but the wizard looks for an .stl file or self signed certificate which I have not been able to generate.  
<< It looks like IPSEC will require a configuration change on the nic cards on the workstations in addtion to gpo policy changes. >>
IPSec is a layer-3 protocol completely independent of the NIC. IPSec security is either negotiated using computer certificates, kerberos or pre-shared keys (at the machine level, not the user level). The pre-shared keys method is not recommended for production AD environments, only testing purposes.

The recovery agent is indeed for recovery purposes, but if a certain user has a lot of encrypted data then you're better off when that private key isn't lost.

I will also play around with this in a lab when time permits, I'd like to know some of that myself.

Any other expert's an expert at this?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jfexchangeAuthor Commented:
Rant, if that is the case with IPSec, then what would the necessary config entail just gpo settings?  I have worked with IPSec primarly in regards to websites/ie and not with files over an internal network.

I think you are misunderstanding the scope of what I am trying to do slightly.  I am not trying to encrypt individual user files or profile information.  I am trying to encrypt files shared by many users on an encrypted file share with subdirectories for different ou's/security groups.  So I want many users >15 to have access to a single encrypted file.
jfexchangeAuthor Commented:
no doable, according to MS
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.