How copy encrypted files between 2 XP machines in a workgroup
Hi-
I have multiple computers in a workgroup that use the same xp pro encryption certificate.
How do I copy and/ or access files across the network without having to decrypt the files?
I have multiple computers in a workgroup that use the same xp pro encryption certificate.
How do I copy and/ or access files across the network without having to decrypt the files?
ASKER
Hi Abs_jaipur - thanks for your post.
I did not find anything in your 3 links that tell me how to do what I want to do.
Are there any other thoughts?
I did not find anything in your 3 links that tell me how to do what I want to do.
Are there any other thoughts?
Hi,
Ok give me some time i will check and update you.
Ok give me some time i will check and update you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi ingetic-
I looked into this a few months ago - robocopy will not copy encrypted files over the wire in a workgroup. I have read that the Vista version has some functionality that may do this; another user (like me) was trying to get the code to use on XP but seemed not to be making progress... see one of his posts here:
http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2006-05/msg00013.html
richrumble-
Thanks for your posts - it has lots of good information, but gives solutions for domains, WebDAV Web folders, and other non-Workgroup environments. I need a solution for a workgroup network...
I looked into this a few months ago - robocopy will not copy encrypted files over the wire in a workgroup. I have read that the Vista version has some functionality that may do this; another user (like me) was trying to get the code to use on XP but seemed not to be making progress... see one of his posts here:
http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2006-05/msg00013.html
richrumble-
Thanks for your posts - it has lots of good information, but gives solutions for domains, WebDAV Web folders, and other non-Workgroup environments. I need a solution for a workgroup network...
The cert's have to present on both machines in order to copy.
here is a toll I just ran across from M$... http://www.microsoft.com/technet/WindowsVista/library/usmt/1bda9646-043c-4e02-b4aa-9650197ca54a.mspx?mfr=true
http://www.microsoft.com/technet/WindowsVista/library/usmt/a8b21b9b-d102-4045-9f36-e4b3430d2f38.mspx?mfr=true
http://www.microsoft.com/downloads/details.aspx?FamilyId=4AF2D2C9-F16C-4C52-A203-8DAF944DD555&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=EB4E271C-3613-4AAC-A305-5ED88F5D4CAA&displaylang=en
-rich
here is a toll I just ran across from M$... http://www.microsoft.com/technet/WindowsVista/library/usmt/1bda9646-043c-4e02-b4aa-9650197ca54a.mspx?mfr=true
http://www.microsoft.com/technet/WindowsVista/library/usmt/a8b21b9b-d102-4045-9f36-e4b3430d2f38.mspx?mfr=true
http://www.microsoft.com/downloads/details.aspx?FamilyId=4AF2D2C9-F16C-4C52-A203-8DAF944DD555&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=EB4E271C-3613-4AAC-A305-5ED88F5D4CAA&displaylang=en
-rich
ASKER
Hi rich-
THanks - The certs are on all machines - the problem is copying / accessing the files across the network.
I appreciate the time you've spent on this - The links you posted have to do with user migration from an old environment to a new environment (which I see as a "one-off" operation); I do not see a way that this will allow me to copy or access files across the workgroup network...
Judging from the posts and my internet research, it seems there may not be a viable solution for me - I believe that XP by design will not copy encrypted files over a workgroup network - I believe it might have to do with the workgroup network protocols(?) that cannot accomodate this and will only allow UNENCRYPTED files to be copied over the wire.
If there were an automated process that would copy the files across the wire in an unencrypted state, I would settle for that because the target folder is encrypted which would result in the unencrypted file being automatically re-encrypted on the target; this would not solve my ability to directly access the files over the wire, just to copy them - but that would be a big step forward. However, selecting files to manually unencrypt them to a temporary location on the source machine so that I can then copy those unencrypted files to an (encrypted) folder on the target machine is a real pain...
THanks - The certs are on all machines - the problem is copying / accessing the files across the network.
I appreciate the time you've spent on this - The links you posted have to do with user migration from an old environment to a new environment (which I see as a "one-off" operation); I do not see a way that this will allow me to copy or access files across the workgroup network...
Judging from the posts and my internet research, it seems there may not be a viable solution for me - I believe that XP by design will not copy encrypted files over a workgroup network - I believe it might have to do with the workgroup network protocols(?) that cannot accomodate this and will only allow UNENCRYPTED files to be copied over the wire.
If there were an automated process that would copy the files across the wire in an unencrypted state, I would settle for that because the target folder is encrypted which would result in the unencrypted file being automatically re-encrypted on the target; this would not solve my ability to directly access the files over the wire, just to copy them - but that would be a big step forward. However, selecting files to manually unencrypt them to a temporary location on the source machine so that I can then copy those unencrypted files to an (encrypted) folder on the target machine is a real pain...
From the second link in my last post...
If the destination computer is running Windows Vista, Encrypting File System (EFS) certificates will be migrated automatically. However, by default, USMT fails if an encrypted file is found (unless you specify an /efs option). Therefore, you must specify /efs:copyraw with ScanState to migrate the encrypted files. Then when you run LoadState on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. .
AND
Important
You should use extreme caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. <--------
These tools will move the EFS files... you do have to use a username and password that is the same on both pc's in the workgroup, and or use an account that has the proper missions to copy the files on to a PC. I've tested the tools, they work as advertised. Good luck, always make back-up copies.
-rich
If the destination computer is running Windows Vista, Encrypting File System (EFS) certificates will be migrated automatically. However, by default, USMT fails if an encrypted file is found (unless you specify an /efs option). Therefore, you must specify /efs:copyraw with ScanState to migrate the encrypted files. Then when you run LoadState on the destination computer, the encrypted file and the EFS certificate will be automatically migrated. .
AND
Important
You should use extreme caution when migrating encrypted files. If you migrate an encrypted file without also migrating the certificate, end users will not be able to access the file after the migration. <--------
These tools will move the EFS files... you do have to use a username and password that is the same on both pc's in the workgroup, and or use an account that has the proper missions to copy the files on to a PC. I've tested the tools, they work as advertised. Good luck, always make back-up copies.
-rich
I also recommend TrueCrypt over M$ EFS any day of the week, less headaches, easier to work with/use and more secure to boot.
Truecrypt.com
-rich
Truecrypt.com
-rich
ok...?
-rich
-rich
ASKER
Hi rich-
Seems we have a disconnect (you and I) - I need a solution for XP, not Vista - and as I said last post, what you quoted from is a migration tool - not something that believe will allow me to access and copy files between pcs in a workgroup. I don't need to move the files, I need to access them or copy them (keep them synched).
Administrator - did you read the posts since comments were requested for cleanup? Maybe you can explain the basis for the forced accept?
PS Rich - thanks for the reference to TrueCrypt - my real problem is keeping encrypted files synchronized between machines - do you know if synch programs will work with TrueCrypt?
Seems we have a disconnect (you and I) - I need a solution for XP, not Vista - and as I said last post, what you quoted from is a migration tool - not something that believe will allow me to access and copy files between pcs in a workgroup. I don't need to move the files, I need to access them or copy them (keep them synched).
Administrator - did you read the posts since comments were requested for cleanup? Maybe you can explain the basis for the forced accept?
PS Rich - thanks for the reference to TrueCrypt - my real problem is keeping encrypted files synchronized between machines - do you know if synch programs will work with TrueCrypt?
The migration tools are for win2k, XP, 2003, and VISTA... please install and have a look, again, I've tested these on XP and they work as advertised.
The line only says " IF using vista..."
>If the destination computer is running Windows Vista, Encrypting File System (EFS) certificates will be migrated automatically
Otherwise, the cert's aren't moved automagicly.
Also, truecrypt data is always stored encrypted, it's never decrypted to disc, unless you copy the data out of the encryption container to a plain-text file yourself. The encrypted data is only unencrypted in memory, as opposed to EFS that creates plain-text verions of the data when it's opened, that data is stored on the disc, and "deleted" from the HD when that data is closed. If your PC loses power, the encrypted truecrypt data is still encrypted, just not loaded in memory anymore, so all you have to do is reopen, the encrypted data will then be placed in memory again.
Read "other issues" second paragraph
http://en.wikipedia.org/wiki/Encrypting_File_System#Recovery
http://en.wikipedia.org/wiki/Truecrypt
You can use any method you wish to move/copy truecrypt files, they do not lock you like M$ does/tries to. BTW, the back-up operators group can use a varity of tools to move efs data encrypted without the need for the key's to be present on the destination, however they do need to be present on the local pc where those files are stored. http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx#EQH This whole article does apply, altough they say "back-up and restore" you can think of it as sync'ing...
-rich
The line only says " IF using vista..."
>If the destination computer is running Windows Vista, Encrypting File System (EFS) certificates will be migrated automatically
Otherwise, the cert's aren't moved automagicly.
Also, truecrypt data is always stored encrypted, it's never decrypted to disc, unless you copy the data out of the encryption container to a plain-text file yourself. The encrypted data is only unencrypted in memory, as opposed to EFS that creates plain-text verions of the data when it's opened, that data is stored on the disc, and "deleted" from the HD when that data is closed. If your PC loses power, the encrypted truecrypt data is still encrypted, just not loaded in memory anymore, so all you have to do is reopen, the encrypted data will then be placed in memory again.
Read "other issues" second paragraph
http://en.wikipedia.org/wiki/Encrypting_File_System#Recovery
http://en.wikipedia.org/wiki/Truecrypt
You can use any method you wish to move/copy truecrypt files, they do not lock you like M$ does/tries to. BTW, the back-up operators group can use a varity of tools to move efs data encrypted without the need for the key's to be present on the destination, however they do need to be present on the local pc where those files are stored. http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx#EQH This whole article does apply, altough they say "back-up and restore" you can think of it as sync'ing...
-rich
May be these links help you
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://www.stanford.edu/group/security/securecomputing/pc_file_encryption.html
https://www.experts-exchange.com/questions/21892876/Question-on-EFS-in-XP.html