none
using EFS recovery certificate to decrypt files

    Question

  • Hi, I am considering using EFS to encrypt some sensitive files.  But I have a very healthy fear of encryption, so I don't want to do anything until I have proven two things:

    1) I can take the EFS key and decrypt the files on another PC

    2) I can decrypt the files on another PC using an EFS recovery certificate

    I am OK on #1, but I'm having trouble with the second item.  I have two users on my PC -- 'userA' (my main account) and 'administrator.'  I logged in as 'administrator' and tried creating an EFS recovery certificate by following the instructions in this article:

    http://windows.microsoft.com/en-US/windows7/Create-a-recovery-certificate-for-encrypted-files

    When I browse to the recovery certificate to install it, the wizard shows 'USER_UNKNOWN' under 'recovery agents' and 'Administrator' under 'certificates.'  I'm guessing the 'USER_UNKNOWN' is the issue, since for some reason I cannot open files using the recovery certificate after completing the steps.

    Is the problem the fact that I'm creating the recovery certificate AFTER I created my EFS certificate?  If so, is it safe for me to simply delete all the EFS certificates (I have no encrypted files, only one test file for use with this) and start from scratch, creating the EFS recovery certificate first?

    Thanks

     

    Sunday, November 06, 2011 4:23 AM

All replies

  • Hi,

     

    Thank you for your question.

     

    I am trying to involve someone familiar with this topic to further look at this issue.

     

     

    Regards,

    Leo   Huang


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 08, 2011 2:45 AM
    Moderator
  • Can you provide a screen shot of the USER_UNKNOWN error?

    You can recover the the files on another PC if you have a domain recovery agent defined; if you havent defined it already then use cipher /u to update the currently encrypted files.

     

     


    Sumesh P - Microsoft Online Community Support
    Wednesday, November 09, 2011 3:30 AM
    Moderator
  • Ok, so i just figured where you are seeing the USER_UNKNOWN message.

    It seems it is expected and you can move past it:

    937536 Error message when client computers encrypt a file in a Windows Server 2003 domain: “Recovery policy configured for this system contains invalid recovery certificate”

    Note

    When you open the .cer file, you see USER_UNKNOWN in the Recovery Agents field. This message is expected. Also, you receive a warning message from the Add Recovery Agent Wizard that the certificate is not trusted.

     

    324897 How to manage the encrypting file system in Windows Server 2003

    If you add a recovery agent from a file, the user is identified as USER_UNKNOWN. This is because the name is not stored in the file.


    Sumesh P - Microsoft Online Community Support
    Wednesday, November 09, 2011 3:37 AM
    Moderator
  • Any update on this?

    You should be able to open the files after updating the recovery info with cipher /u

     


    Sumesh P - Microsoft Online Community Support
    Monday, November 14, 2011 11:21 AM
    Moderator