how do i recover and employ deleted efs certicates to decrypt a directory on my local drive d:

Posted on 2009-02-09
Medium Priority
Last Modified: 2012-05-06
I am trying to recover erased Vista efs certificates. The customer lost his keys and no disk writing has occurred after the loss (erased?). Standard data recovery tools should bring back the missing certificates but I'm not sure what needs to be recoverd and where to put the recovered items so that I can decrypt a certain directory that the user has encrypted. I only have a bit copy of his drive set up as drive D: on my system.

Question by:gbulger
  • 3
  • 2
LVL 31

Expert Comment

ID: 23591935
If you happen to have a Data Recovery Agent set up, that would be the easiest to do that (default would be local admin)..  If you don't have a DRA then read this thread, it sounds pretty similar:

Take note of the product recommendation in post 23231153

Author Comment

ID: 23600713
I'm not sure what to do next. I have tried to set myself up as a recovery agent by:

- log in as administrator

- run "cipher /r: gordon" which placed a .pfx and .cer in the administrators directory. these arye the recovery agent's public and and private certificate keys I presume.

- I imported the pfx file by clicking on it to open the import wizard then ran "start-run-secpol.msc" and selected "Public Key Policy-EFS" in selected "add data

recovery agent" and selected the .cer file.

I ran data recovery sw on his drive and recovered several .pfx files which may be his missing private keys. His drive is locally hooked up as the second disk on my recovery computer.

How do I use these keys? I have aefsdr pro. Is the pfx key I generated with the .cer key ever used in ths process?

Sorry to be so stupid.
LVL 31

Expert Comment

ID: 23602813
The DRA cert would need to be installed on the user box prior to requiring its use, not after.  You could use the DRA in place of their certificate to decrypt the data during the aefsdr recovery process.

The pfx files from the user hard drive might be of use if the user happens to remember the password to them - if you can copy them off that disk to your workstation you can have him try some of his typical passwords on that, and if it locks out then you can just pop in another copy.  You will need to unlock that in order to move forward recovering the encrypted data.

Alternatively, you can see if aefsdr pro will have any luck with the files located in the %userprofile%\Application Data\Microsoft\Crypto\RSA\%sid% directory.  This is where the private keys are stored.  Note: the file names will just be random characters with no extension - this is fine and normal.

From your previous comment - yes the pfx has both the public and private keysets included with the cert and is usually password protected.  You would put the .cer file (public key only with the cert) into your policy settings (local policy, GPO, etc.) and use the pfx for decryption processes.

Author Comment

ID: 23603139
How do I install the dra cert files on the user box if I don't have a booting drive from the user?
As it stands I have his drive only as a local drive g: attached to my recovery computer?  What are the steps involved in using the DRA in place of of their certificate to then decrypt the data? I am really a beginner here (obviously).

LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 23604796
You install the DRA cert on the user box when everything is working normally.  The DRA cert is the ounce of prevention...  You can't apply it afterwards without the user logging in to update the existing encrypted files, as they would need to log in to decrypt them to re-encrypt them with their cert and the DRA cert.  It isn't magic.  In other words - if you didn't already have the DRA installed, then forget about that for now and move on, then when this fire is out take your new DRA cert, back up the PFX in at least 3 different physical locations (USB flash drives, CD, etc.), then put it into group policy so all of your clients will use the same DRA cert so you are prepared for next time.

For now, I would see if you can take the information from the 3rd paragraph from my last post and do something with that.  If that doesn't work then you might need to chalk this one up to experience and either let it go or bring it into a data recovery specialist like DriveSavers (which isn't cheap and still isn't guaranteed).

If the private key or any single bit of the encrypted file got overwritten, you're not going to get anywhere with standard tools.  Sometimes you get lucky, sometimes you don't, and sometimes you pay a few hundred bucks or more to get the pros with the special equipment that can read lost data better than a utility you can download.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Service applet starts in Extended Mode by Default, with a taskpad on the left of the services pane. This view mode was introduced in XP. As I find it not very usefull, I like to use the Standard view as default, and without the Console tree. …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Integration Management Part 2

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question