We help IT Professionals succeed at work.

The second unexpected EFS certificate in win7. Can't access new encrypted files

BlueArgonaut
BlueArgonaut used Ask the Experts™
on
I use EFS encryption for several folders and their sub-folders (The new folders I created, My Documents, My Photos) in my folder C:\Users\MyLoginName. The "Application Data" or "App Data" are not encrypted.

I have EFS certificate for about 1 month with thumbnail beginning with: AA1A I backed up this EFS certificate including private key. When I checked the certificate in system it shows that certificate contains the private key.

Yesterday I suddenly got message that I should backup the EFS certificate. I didn't put attention to that because I understood that I already did backup. In the evening I found that I can't access some new files. I checked files encryption and I found that they have been encrypted with another certificate with thumbnail beginning with BB9B I checked certificates and I found the grant new certificate with thumbnail beginning with BB9B. That certificate has been created yesterday and in Certificates View shows that it CONTAINS private key as well. I tried to backup certificate BB9B and I couldn't save the private key! This option was not accessible.

The Recovery agent is without certificate. So I tried to add any of certificate I could find: AA1A or BB9B I got message "The certificate is not suitable for  Encrypting File System recovery".

I use Windows 7 64bits Ultimate. I didn't change password for any user on computer. The computer is on not on Active Directory it works in WORKGROUP. I haven't copy any file or folder between folders in C:\Users

Could you please help to answer:
1. Do you know what could cause that creation of the new certificate?
2. Is there any option to decrypt files with certificate BB9B?
3. Can I delete certificate BB9B?
4. What certificate can be used for Recovery agent?

Thanks a lot for your help. I appreciate it.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cryptographic Engineer
Commented:
You should still be able to access your old files using your old EFS cert - it might be worth backing those up quick just to make sure you don't loose access to them.  Just a sanity step before you do anything else.

I hate to ask it, but when was the last time you logged out or rebooted?  If you haven't done so since getting your new cert then try that before you go too crazy.

If you haven't created a DRA yet then there isn't going to be one.  Use cipher /r filename  and it will create the cert and .pfx file for your DRA.  Store the .pfx on a secure flash drive that you keep locked up - if you have a safe keep it in there, and don't lose the password for the private key.

Author

Commented:
Hello, I found some workaround solution to avoid the above problem.

I use EFS on MyDocuments folder and subfolders. I also work on remote server in REMOTEDOMAIN. To work on this server and copy files between remote server and my computer I have to authentificate to remote domain and run Explorer as user REMOTEDOMAIN\RemoteUser. When I copy file from remote server into MyDocuments folder using that explorer running in REMOTEDOMAIN\RemoteUser security context the system immediately creates the new EFS certificate. When I work on my local security context I can’t access that copied file and even though all new encrypted files are using that wrong certificate. That causes lots  of issues when it stops working me with encrypted files on my computer only. Theat new certificate cannot be added to DRA(recovery agent as well).

The only workaround I found is that I copy files from remote server to unecrypted folder. And always ensure that I use explorer with REMOTEDOMAIN\RemoteUser credentials for copying files between my computer and server ONLY! When I finish copying I IMMEDIATELY close that explorer to avoid any confusion!
In case that you fail and new certificate is created you can see win7 bubble message “..Backup EFS key” That means that new certificate has been create. (Note: You should have in your notes certificate note of your right certificate thumbnail.) In that case go IMMEDIATELLY to certificate storage (in IE) and delete the new one. Check the certificate thumbnail that you are NOT deleting your correct certificate! After deletion you have to restart computer to get rid of wrong certificate from memory.

If you know how to avoid that problem and get rid of root cause, I'll be glad if you post it. Thanks.

Commented:
Yesterday, I experienced the same problem as described in the question. Unfortunately, the proposed solution does not the four questions raised in the problem description. I find it extremely strange that suddenly a new certificate is created automatically and the user is not able to recover files that were created or changed after that. It would help me a lot if someone could tell me how I can acces those files.