how do i recover and employ deleted efs certicates to decrypt a directory on my local drive d:

Posted on 2009-02-09
Last Modified: 2012-05-06
I am trying to recover erased Vista efs certificates. The customer lost his keys and no disk writing has occurred after the loss (erased?). Standard data recovery tools should bring back the missing certificates but I'm not sure what needs to be recoverd and where to put the recovered items so that I can decrypt a certain directory that the user has encrypted. I only have a bit copy of his drive set up as drive D: on my system.

Question by:gbulger
    LVL 31

    Expert Comment

    If you happen to have a Data Recovery Agent set up, that would be the easiest to do that (default would be local admin)..  If you don't have a DRA then read this thread, it sounds pretty similar:

    Take note of the product recommendation in post 23231153

    Author Comment

    I'm not sure what to do next. I have tried to set myself up as a recovery agent by:

    - log in as administrator

    - run "cipher /r: gordon" which placed a .pfx and .cer in the administrators directory. these arye the recovery agent's public and and private certificate keys I presume.

    - I imported the pfx file by clicking on it to open the import wizard then ran "start-run-secpol.msc" and selected "Public Key Policy-EFS" in selected "add data

    recovery agent" and selected the .cer file.

    I ran data recovery sw on his drive and recovered several .pfx files which may be his missing private keys. His drive is locally hooked up as the second disk on my recovery computer.

    How do I use these keys? I have aefsdr pro. Is the pfx key I generated with the .cer key ever used in ths process?

    Sorry to be so stupid.
    LVL 31

    Expert Comment

    The DRA cert would need to be installed on the user box prior to requiring its use, not after.  You could use the DRA in place of their certificate to decrypt the data during the aefsdr recovery process.

    The pfx files from the user hard drive might be of use if the user happens to remember the password to them - if you can copy them off that disk to your workstation you can have him try some of his typical passwords on that, and if it locks out then you can just pop in another copy.  You will need to unlock that in order to move forward recovering the encrypted data.

    Alternatively, you can see if aefsdr pro will have any luck with the files located in the %userprofile%\Application Data\Microsoft\Crypto\RSA\%sid% directory.  This is where the private keys are stored.  Note: the file names will just be random characters with no extension - this is fine and normal.

    From your previous comment - yes the pfx has both the public and private keysets included with the cert and is usually password protected.  You would put the .cer file (public key only with the cert) into your policy settings (local policy, GPO, etc.) and use the pfx for decryption processes.

    Author Comment

    How do I install the dra cert files on the user box if I don't have a booting drive from the user?
    As it stands I have his drive only as a local drive g: attached to my recovery computer?  What are the steps involved in using the DRA in place of of their certificate to then decrypt the data? I am really a beginner here (obviously).

    LVL 31

    Accepted Solution

    You install the DRA cert on the user box when everything is working normally.  The DRA cert is the ounce of prevention...  You can't apply it afterwards without the user logging in to update the existing encrypted files, as they would need to log in to decrypt them to re-encrypt them with their cert and the DRA cert.  It isn't magic.  In other words - if you didn't already have the DRA installed, then forget about that for now and move on, then when this fire is out take your new DRA cert, back up the PFX in at least 3 different physical locations (USB flash drives, CD, etc.), then put it into group policy so all of your clients will use the same DRA cert so you are prepared for next time.

    For now, I would see if you can take the information from the 3rd paragraph from my last post and do something with that.  If that doesn't work then you might need to chalk this one up to experience and either let it go or bring it into a data recovery specialist like DriveSavers (which isn't cheap and still isn't guaranteed).

    If the private key or any single bit of the encrypted file got overwritten, you're not going to get anywhere with standard tools.  Sometimes you get lucky, sometimes you don't, and sometimes you pay a few hundred bucks or more to get the pros with the special equipment that can read lost data better than a utility you can download.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Windows 8 & Vista Networking 4 573
    Hp G70 webcam not working 5 723
    windows vista install 10 123
    Need dell 1720 printer driver for Vista 32 bit 12 40
    The Service applet starts in Extended Mode by Default, with a taskpad on the left of the services pane. This view mode was introduced in XP. As I find it not very usefull, I like to use the Standard view as default, and without the Console tree. …
    So who is this article for? If you are like most of the computer users out there, you probably only realize the meaning of 'System maintenance' after something goes wrong. This article is for you if you care about keeping your system working opti…
    The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now