?
Solved

EFS - Can't decrypt a file even though I have certificate with matching thumbprint

Posted on 2016-10-20
4
Medium Priority
?
87 Views
Last Modified: 2016-11-08
We have a Server 2012R2 box hosting a single network share. Somehow, some files that got saved to this share got encrypted using what I can only describe as a "self-signed" EFS certificate. The cert was not issued by our CA, and does not have our usual recovery certificates attached. The matching certificate can be found in the user's personal cert store on the server. However, all attempts to decrypt the files have failed. See this screenshot:
screenshot1
Any ideas out there?
0
Comment
Question by:SWCBTechServices
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points (awarded by participants)
ID: 41852317
I am suspecting at large either the (a) private key is missing or the (b) profile is corrupted.
- attempt to export the private key for that user self signed cert has the export option grayed out, then likely the private key is missing.
- identified self sign cert for that matching fingerprint should also have a corresponding copy as the certificate thumbprint on <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

The private key is stored within the certificate itself, but it is also protected by a password. If we cannot it out or use from past backup, it is not going to be decrypted. I am suspecting even administrator cannot access this folder, unless we have the self-signed EFS certificate of the original user e.g. export the certificate with private key of the user and import to the user whom you want to give them ability to access.

There is Elcomsoft software that attempt to scan for the available encryption keys, and decrypts the protected files. http://www.crackpassword.com/aefsdr.html
0
 

Author Comment

by:SWCBTechServices
ID: 41852345
We are logged on to the computer as the original user who encrypted the file. When I view the cert from the users personal cert store, it displays "You have a private key that corresponds to this certificate" (see attached picture).

We cannot export the cert with private, the option is grayed out, however it could be that private key export was disabled when the cert was created.

Yes, there is a corresponding copy of the cert/thumbprint in <CurrentUserProfile>\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\

Any suggestions? thanks,2016-10-20_9-44-45.jpg
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points (awarded by participants)
ID: 41852394
May can try the tool to scan if this key is available and if can be decrypted - See the "Decrypting files"
Note: an unregistered (trial) version of AEFSDR decrypts only first 512 bytes of all files, padding the rest of content with zeros (look at Registration to learn how to get the fully functional version). But even in full version, please verify that all files have been decrypted successfully, before deleting the original (encrypted) files.
https://www.elcomsoft.com/help/en/aefsdr/index.html

There is another article - see "recovery with the orginal profile in the file system"
http://www.beginningtoseethelight.org/efsrecovery/index.htm
0
 
LVL 64

Expert Comment

by:btan
ID: 41878461
As suggested for key recovery.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question