Solved

EFS - Can't decrypt a file even though I have certificate with matching thumbprint

Posted on 2016-10-20
4
53 Views
Last Modified: 2016-11-08
We have a Server 2012R2 box hosting a single network share. Somehow, some files that got saved to this share got encrypted using what I can only describe as a "self-signed" EFS certificate. The cert was not issued by our CA, and does not have our usual recovery certificates attached. The matching certificate can be found in the user's personal cert store on the server. However, all attempts to decrypt the files have failed. See this screenshot:
screenshot1
Any ideas out there?
0
Comment
Question by:SWCBTechServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41852317
I am suspecting at large either the (a) private key is missing or the (b) profile is corrupted.
- attempt to export the private key for that user self signed cert has the export option grayed out, then likely the private key is missing.
- identified self sign cert for that matching fingerprint should also have a corresponding copy as the certificate thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

The private key is stored within the certificate itself, but it is also protected by a password. If we cannot it out or use from past backup, it is not going to be decrypted. I am suspecting even administrator cannot access this folder, unless we have the self-signed EFS certificate of the original user e.g. export the certificate with private key of the user and import to the user whom you want to give them ability to access.

There is Elcomsoft software that attempt to scan for the available encryption keys, and decrypts the protected files. http://www.crackpassword.com/aefsdr.html
0
 

Author Comment

by:SWCBTechServices
ID: 41852345
We are logged on to the computer as the original user who encrypted the file. When I view the cert from the users personal cert store, it displays "You have a private key that corresponds to this certificate" (see attached picture).

We cannot export the cert with private, the option is grayed out, however it could be that private key export was disabled when the cert was created.

Yes, there is a corresponding copy of the cert/thumbprint in <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

Any suggestions? thanks,2016-10-20_9-44-45.jpg
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41852394
May can try the tool to scan if this key is available and if can be decrypted - See the "Decrypting files"
Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.
https://www.elcomsoft.com/help/en/aefsdr/index.html

There is another article - see "recovery with the orginal profile in the file system"
http://www.beginningtoseethelight.org/efsrecovery/index.htm
0
 
LVL 64

Expert Comment

by:btan
ID: 41878461
As suggested for key recovery.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question