Recover encrypted files after fresh install?

Message

Kenn · #1 Post by **Kenn** » Tue Jan 11, 2005 3:21 pm

I followed the XP / slipstreamed SP2 procedure posted here for my t42, and it worked flawlessly.

Unfortunately, I have a file I encrypted through XP before the reinstall, and though I backed it up, when I reinstalled, I can't access it anymore. Since I wiped my HD, I don't think I can designate any account on my current setup as the recovery agent. Do I have any options for recovering this file? It is of some importance. Thanks!

lvlolvlo · #2 Post by **lvlolvlo** » Tue Jan 11, 2005 11:13 pm

unless you backed up your public key(certificate) which is what windows uses to encrypt your file you might as well say bye bye....but let me search around a bit and give you a AFAIK answer....

*edit*

confirmed sorry mate no way that i know of at least as per this MS doc

If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover the data.

Scroll down and look jsut above "Why you must back up your certificates"

http://support.microsoft.com/default.as ... -us;223316

Kenn · #3 Post by **Kenn** » Wed Jan 12, 2005 1:23 am

Thanks a lot, that was what I was afraid of

It was silly of me to format without safeguarding an encrypted file, but I guess I was under the impression that it couldn't be hard to recover because "everything else Microsoft makes is full of holes."

As much of a mea culpa this was, I do think it would have been good for the OS to inform users of the certificate scheme when they first encrypt a file. I have to admit I had no idea until I started reading up on it after the fact!

lvlolvlo wrote:unless you backed up your public key(certificate) which is what windows uses to encrypt your file you might as well say bye bye....but let me search around a bit and give you a AFAIK answer....

*edit*

confirmed sorry mate no way that i know of at least as per this MS doc

If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover the data.
Scroll down and look jsut above "Why you must back up your certificates"

http://support.microsoft.com/default.as ... -us;223316

Leon · #4 Post by **Leon** » Wed Jan 12, 2005 8:59 am

yes, Microsoft needs to be more clear, this is a common occurrence. I heard of one person who lost a large amount of work related photos in an encrypted file this way......

pdudas · #5 Post by **pdudas** » Thu Jan 13, 2005 12:43 pm

I fond a util on the net.

in the nfo :

" Advanced EFS Data Recovery (or simply AEFSDR)
is a program to recover (decrypt) files
encrypted on NTFS (EFS) partitions created in
Windows 2000 and Windows XP. Files are being
decrypted even in a case when the system is
not bootable and so you cannot log on, and/or
some encryption keys have been tampered.
Besides, decryption is possible even when
Windows is protected using SYSKEY. AEFSDR
effectively (and instantly) decrypts the files
protected under Windows XP (including Service
Pack 1) and all versions of Windows 2000
(including Service Packs 1, 2, 3 and 4)."

PM me if you want to try it. I can send you by mail.

Kenn · #6 Post by **Kenn** » Thu Jan 13, 2005 1:53 pm

pdudas wrote:I fond a util on the net.

in the nfo :

" Advanced EFS Data Recovery (or simply AEFSDR)
is a program to recover (decrypt) files
encrypted on NTFS (EFS) partitions created in
Windows 2000 and Windows XP. Files are being
decrypted even in a case when the system is
not bootable and so you cannot log on, and/or
some encryption keys have been tampered.
Besides, decryption is possible even when
Windows is protected using SYSKEY. AEFSDR
effectively (and instantly) decrypts the files
protected under Windows XP (including Service
Pack 1) and all versions of Windows 2000
(including Service Packs 1, 2, 3 and 4)."

PM me if you want to try it. I can send you by mail.

Thanks for finding this. I had already tried it, and the program only works when you have a certificate/key or a valid recovery agent desginated. Since I had neither, my file was listed as "undecryptable." Guess it's just time to start picking up the pieces.

skanky · #7 Post by **skanky** » Fri Jan 14, 2005 3:34 am

Kenn wrote:It was silly of me to format without safeguarding an encrypted file, but I guess I was under the impression that it couldn't be hard to recover because "everything else Microsoft makes is full of holes."

this is the one thing that microsoft have done that is pretty much bulletproof and not full of holes! ..i made the same mistake last year, well actually i thought it would be fun to try and encrypt my hdd and well my boss wasnt happy that i couldnt do any work for the day because i was trying to get my emails/data back!

lvlolvlo · #8 Post by **lvlolvlo** » Fri Jan 14, 2005 5:20 am

Kenn don't delete those files. I will try to find a way. Just outta curiosity if *dumb question* if those files aren't too sensitive can I get a copy of one so I can work on it in my spare time? Or actually just encrypt any file random file and send it to me so I can try.

The reason why I said dumb question b/c you wouldn't encrypt them if they weren't highly sensitive...lol

Who did you designate as your recovery agent? If you didn't assign anyone then by default it's the root

I know it won't work but maybe windows it feelin buggy today try loggin in as root...err..sorry Administrator open DOS and go with

Code: Select all

cipher /u/a <filename>

try and also find out who can decrypt it

Code: Select all

efsinfo /u <filename>

go here http:// www.sysinternals.com/misc.htm to get the efsinfo program

[/code]

Kenn · #9 Post by **Kenn** » Fri Jan 14, 2005 8:23 pm

Hi lvlolvlo,

Thanks very much for taking the time to research this! Unfortunately the info is pretty sensitive (essentially financial data and personal passwords, etc.) but I can definitely send you a similarly-encrpyted excel file if you'd like.

I never set a recovery agent, so I guess that makes it the Administrator account. Unfortunately, I've tried creating an identical user account with same u/p, and changing my new admin account to also reflect my prior setup, and nothing works so far. Trying to touch the file with cipher /u gives me the standard "access denied" message.

The good news is, I've learned my lesson and backed up my certificate for my current setup

lvlolvlo wrote:Kenn don't delete those files. I will try to find a way. Just outta curiosity if *dumb question* if those files aren't too sensitive can I get a copy of one so I can work on it in my spare time? Or actually just encrypt any file random file and send it to me so I can try.

The reason why I said dumb question b/c you wouldn't encrypt them if they weren't highly sensitive...lol

Who did you designate as your recovery agent? If you didn't assign anyone then by default it's the root

I know it won't work but maybe windows it feelin buggy today try loggin in as root...err..sorry Administrator open DOS and go with
Code: Select all
cipher /u/a <filename>
try and also find out who can decrypt it
Code: Select all
efsinfo /u <filename>
go here http:// www.sysinternals.com/misc.htm to get the efsinfo program

[/code]

Moroner · #10 Post by **Moroner** » Sun Jan 16, 2005 8:08 am

There is one place in your backup where you might be able to find back your key: the registry. Windows stores the keys to be used there (search for EFS), but I would assume that at least the private key is protected by symmetric encryption. It could be that by importing that key, and using exactly the same password as you had before, you might be able to access it. But then again, it could as well be that XP uses different salts (after all, the security IDs of you old and new account will be different).
Since the encryption key is a 1024-bit RSA key, you will be out of luck to break it with brute force (If you could, claim your $100 000)

Recover encrypted files after fresh install?

Recover encrypted files after fresh install?

Who is online