We help IT Professionals succeed at work.

Encryption file problem

djpierce54
djpierce54 asked
on
We recently moved all of our User Shared Folders from an SBS 2003 server to a 2008 R2 server.  Some of the users had encrypted data and we decrypted the data, copied to the 2008 server and then encrypted.  That all works fine.
The problem is I need to restore some files from our offsite backup that are several years old.
I found if I restore to the old SBS 2003 server the user can read.  If I restore the same files to the new server the user cannot open the files.  I did do an export of the recovery agent certs and restored on the 2008 server but the user still cannot read the files.

There must be a Cert buried somewhere that has been missed?
It would seem like we should be able to import the correct Cert onto the 2008 server so the user can read these older files.
Suggestions?
Comment
Watch Question

ImaCircularSawTechnical Lead

Commented:
Is the domain admin account able to read the files?  Are the users the same or are their SIDs different?  It could be that once recovered, the files need to have their owner accounts re-set.

Author

Commented:
No the Domain Admins cannot read the files.
Only the user who created and originally encrypted the file can read it.

I do not think the SID changed as the accounts are the same on the AD.  Only thing was their files were redirected to a new server.

The problem I have is that the only way to read those old files is for the owner to have them restored to the old server and then the user needs to decrypt and move to the new server and encrypt.
The old server is about to be decommisioned .  That is why I posted this question.
ImaCircularSawTechnical Lead

Commented:
What are you using to encrypt the files?

Author

Commented:
Each user just goes to the properties of the file or directory on their computer (like My Documents) and under the advanced option select to encrypt.
So it must use the resident server that stores these files for the encryption key.
ImaCircularSawTechnical Lead
Commented:
Here's a paper on the issue:

http://technet.microsoft.com/en-us/library/bb457065.aspx

The certificates used for encryption are self-signed by the user but should still exist on your CA.  If that CA is the old server it would explain why you'rt unable to decrypt the files without it being online.  You should be able to copy them onto another trusted root server/CA.
I figured it out.  Had to use the Recovery Agent and dig out some old Certs.
The link to the KB got me on the right track

Author

Commented:
I had to do further investigations and testing to resolve

Explore More ContentExplore courses, solutions, and other research materials related to this topic.