Home / server / Questions / 89474
Accepted
nrgyz
Asked: 2009-12-01 08:41:44 +0800 CST

Recover EFS encrypted files

  • 772

I have a machine here that is joined to a domain. Some days ago, I did a disk image of that workstation because the HDD was begin to fail. I put the new drive in the machine and the user now complains that he cannot read some of his files. It appears he has a folder tree encrypted by EFS. I put the old disk back in his machine and still cannot read those encrypted files... Is there a way to recover them?

windows

1 Answers

  1. Best Answer

    If you setup recover agents in group policy, you should be able to install the recovery agent's private key onto the new machine and decrypt the files when logged in as that user. Also another option would be to see if you can export the users private key from the CA or if it has already been exported somewhere else and install this key for the user. If neither of these are a viable option I believe you are pretty much SOL.

    EDIT: to answer question in comments.

    First, you will need your recovery agent's private (.pfx) key+cert not just the certificate (.cer)

    To import your private key (.pfx) you need to do the following:

    1. Log on to your computer using the recovery agent account
    2. Browse to your private (.pfx) key, then right click on it
    3. Click Install PFX to start the Certificate Import wizard.
    4. Click Next and confirm the file location and name.
    5. Click Next. Type the password for the private key, and then click Next.
    6. Click Place all certificates in the following store, and then click Browse.
    7. Click Personal, and then click OK .
    8. Click Finish, click Yes to add the certificate, and then click OK.

    Once you have installed the private key, you will be able to decrypt the files.

    • 2