I backed up a user's SystemCertificates folder and encrypted documents from an XP Pro installation. That installation is now gone and I'm trying to import the XP Pro certificates from the (old, backed-up XP) SystemCertificates folder into that user's new Windows 7 Enterprise installation. The ONLY certificate I care about is the EFS key for the encrypted docs.
It would seem I would have done better to export the user's XP/EFS certificates, rather than simply backing up the folder. Sigh. . . Live and learn.
In any case, I've been trying to import using certmgr.msc. Only one of the certificates will import successfully - it's one of two certificates in the (old/XP) SystemCertificates/Certificates/My store. And - you guessed it - it's not the one that will open the encrypted docs.
When I look at properties/advanced/detail for any of the encrypted docs, the thumbprint exactly matches the filename for the other of the two certificates in the System Certificates/Certificates/My store. Which would seem to indicate that's the one I need, yes? Except, as I said, it won't import: "The specified file is empty. Select a different file."
Other things I've tried:
· Import of the certificate directly on the server using a sysadmin account. Had high hopes for this one, as my recollection is that when the user's XP Pro docs were encrypted, the machine was joined to the SBS 2008 domain. Alas.
· On a machine with an existing XP Pro installation, logged on as the user whose encrypted docs I'm trying to unlock and tried to import. Nope.
· Another variation I tried while logged on to the XP machine with that user's account was simply replacing the SystemCertificates folder with the old one. (That last bit especially embarrassing to admit, but hey, when you're desperate. . .)
Gulp. Am I out of luck?
If you cannot access the certificate, then you are out of luck. This is one of the reasons I don't use BitLocker or let Windows encrypt my folders (I lost several years of tax info because of this). Instead I use TrueCrypt, which provides the same functionality but doesn't have these issues.
Hi Peter, thanks for the response.
I can see (what I think is) the certificate in the backed up System Certificates folder. But it's true that, essentially, I can't access it. When you lost your encrypted data, was the scenario similar?
This is a digression from the main topic, but I've learned a good deal from non sequiturs in other techie forums, so: A semi-bright spot in this debacle is that I have an old backup of the user's documents, pre-encryption. (Thank you, Fred Langa, for impressing upon me the usefulness of archiving really old backup jobs. One never knows what sort of unpleasantness is going to hit the fan.) Documents the user created since that old backup exist only in encrypted form, and may be gone forever, but at least I can salvage something.
Anyway, I'm not ready to throw in the towel yet. Anyone else have ideas?
You could be running into ownership issues on the files. Even using the sam user account when switching from machine to machine does not mean the internal id will match. Have you tried taking ownership of the certificate file?
Joe, thanks for responding. The user in question is listed as the owner for the SystemCertificates folder, as well as the certificates contained therein.
I did a bit more research and found this article on MS Technet. IT's part of the Win 2000 Server Resource Kit, but as far as where EFS keys are stored, it still seems applicable to this situation.
I have all of the folders/keys mentioned in that article backed up. But none of them will restore directly from the backed up folders.
Anyone else have experience in this area?
Actually, I had not backed up my certificates. And when my laptop gave up the ghost, I could get at everything on the hard drive expect my encrypted stuff (I put the disk drive into a USB enclosure and tried to access it from my new laptop). The worst thing was knowing that if I could find someone else with my same defunct laptop (or perhaps a laptop that used a PATA drive), that I could swap drives with them, boot from the disk, and access and unencrypt the files.
Originally Posted by sjjjjjjj
Exactly what is it that you see in the System Certificates folder? A screen shot, or better yet, the output from a 'dir' in the Command Prompt, would help. The question is whether the files in the folder are in a state that they can be used to import the certificates. In other words, how the certificates are stored for use by the OS might not be the same format that is used to export/import the certificates. Though there is always the possibility that there is a utility that will extract individual certificates from a certificate store.
Thanks again for your willingness to help.
At the moment, I don't have time to generate screen shots or command prompt output. What I can share is that the user's entire Documents and Settings folder was backed up and the stuff in there is "stock," i.e., what one would see if simply using Win Explorer to browse the folders. Of course, certmgr.msc doesn't see anything because the registry doesn't have the proper data for the certificates and keys. (Curses that I didn't have the storage capacity to create an image of that disk. I probably could have backed up the registry, though. Noted for next time.)
Yes, it would seem the data isn't in a form that is usable. Regarding a tool to make them so, I've read a bit about the cipher command-line utility that may be able to do the job. Haven't been able to grok the syntax, though, or done further research on how to use it. I'll continue to research and post my experiences. Of course, if anyone else has experience, I'd be more than happy if you beat me to it.