locked
EFS in Vista RRS feed

  • Question

  • Hello

    I have the following problem with EFS.

    I use the same certificate since july 2000, and tested it on Windows 2000, 2003 Server, XP and different early builds of Windows Longhorn-Vista.

    But now, after installed Vista RC1 build, I can't access files from Windows XP or 2003 server, which have been encrypted in Vista. In the file properties it is shown that files were enypted with AES 256 bit using my certificate - but I still cannot access them in Windows XP.

    I suppose that encription algorithms were changed, but I found no technical documentation at all, and moreover cipher.exe says all files are encrypted using AES 256 bit, algorithm which is also used in Windows XP.

    Please, don't tell me about wrong certificate - this not the problem I experience. Can someone explain me what happened with EFS compatibility in Vista?

    Saturday, October 21, 2006 11:13 AM

All replies

  • I am having the same exact problem did you ever find an answer?
    Wednesday, January 31, 2007 5:34 AM
  • Is this on a RTM or on the RC1/ RC2 ? I heard about issues with Non RTM but this work fine for me in the RTM
    Thursday, February 1, 2007 4:34 AM
  • I am using 64 bit RTM
    Thursday, February 1, 2007 6:29 AM
  • No, I haven't founf the decision of the problem and I had to install Vista both on my home PC and my notebook :)
    Friday, February 2, 2007 6:36 AM
  • both in RC1 and RTM MSDN builds...
    Friday, February 2, 2007 7:11 AM
  • I wish I could do that but I have to keep XP arround so I can VPN into work and for some older games.
    Friday, February 2, 2007 1:49 PM
  • anyone else have an update on this?
    Saturday, February 17, 2007 1:17 PM
  • I have the same problem with my files on a UsbDrive. I have vista at work and XP at home. Files encrypted with Vista EFS result in "Access Denied" when opening them in XP, even though I use the same certificate. Haven't found anything on this yet. There is probably some difference in implementation.

    Felipe

    MCSE+M CCNA Linux+

    Monday, April 2, 2007 10:48 PM
  • I tried downgrading the cipher in Vista to use DESX, which is also compatible with Windows 2000. Still no success, though. I get "access denied" on Windows XP.

    If I encrypt the file on Windows XP I can read it on Vista. But if I encrypt it on Vista, Windows XP gets an access denied. Using a the "cipher /c" command on Vista reveals  a difference between files encrypted on XP and on Vista. Look at this dump:
    --------------------------------
    E:\>cipher /c

     Listing E:\
     New files added to this directory will be encrypted.

    E classif.txt
      Users who can decrypt:
        FelipeC(FelipeC@nonono.br)
        Certificate thumbprint: 0973 D730 CCAF B4AA 08E3 BF46 1AEF 1380 BC7B 0352

      No recovery agent found.

      Key Information:
        Algorithm: DESX
        Key Length: 128
        Key Entropy: 128

    E test.txt
      Users who can decrypt:
        E6489263\user [FelipeC(FelipeC@nonono.br)]
        Certificate thumbprint: 0973 D730 CCAF B4AA 08E3 BF46 1AEF 1380 BC7B 0352

      No recovery agent found.

      Key Information:
        Algorithm: DESX
        Key Length: 128
        Key Entropy: 128
    ---------------------------

    The first file was encrypted in XP and the second one on Vista. Vista seems to add more information to "Users who can decrypt". Anybody have  a clue why?

    Tuesday, April 3, 2007 12:44 PM
  • Desx is rather weak, don't want to use it anyway.

    To my mind there is no difference in "FelipeC(FelipeC@nonono.br)" and "E6489263\user [FelipeC(FelipeC@nonono.br)]". Is  "E6489263" the name of your PC?

     

    I still haven't found how to decrypt files encrypted in vista, and due to this bug (or unknown feature) and many other things finally gave up of vista temporary.

    It's so strange, that this "feature" hasn't been documented yet...

     

    Tuesday, April 3, 2007 4:48 PM
  • Yes, DES is weak. I tried it though to test for cipher compatibility. Doesn't seem to be a problem with the cipher though, but rather some difference in implementaion of EFS in Vista.
    Tuesday, April 3, 2007 5:25 PM
  • I can't but agree :-)

    I even tried to create new certificate in vista, encrypt files with it, and try to decrypt them from XP- nothing works.

    But I will be amazed, if there wil be no workaround... can't believe that microsoft changed the way vista works with cipher without any notification...

    Tuesday, April 3, 2007 6:18 PM
  • I am having the same problem.

     

    For your information, I found a Microsoft article "Determining How Many Operating Systems to Install"

    (http://technet2.microsoft.com/WindowsVista/en/library/2e329c94-1135-430b-93c2-bad44d22c1691033.mspx), of which last section says that EFS files can be shared between Vista and XP by exporting/importing the certificate.

    Friday, April 6, 2007 2:33 PM
  • That's what we are doing. But in my case using a usb drive. If Vista encrypts the file than XP can't read it.

    No use in losing sleep over this. I'm using TrueCrypt now...

    Friday, April 6, 2007 3:08 PM
  • Any word on a fix for this, same problem here XP SP2 32bit  dual booting with Vista 64bit RTM MSDN. Vista is happy but as soon as it encrypts a file XP just gets access denied!! Can't really start using Vista until I can safely access by files from both XP and Vista.
    Saturday, May 19, 2007 12:15 PM
  • I found an expert comment saying that Vista's EFS is not compatible with XP's. Also said that SP1 might solve the problem.

     

    http://blogs.msdn.com/spatdsg/archive/2007/06/07/efs-and-vista-and-xp.aspx

     

    cheers

     

    Friday, July 6, 2007 12:16 PM
  • Windows Vista uses 256-bit AES keys for File Encryption Keys (FEKs), as well as Windows XP (SP1 or later).
    But the key length for user certificate in Windows Vista is different from that of Windows XP.
    Microsoft says that Windows Vista uses a 2048-bit RSA key for asymmetric key encryption.
    http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/planandimplement/54de4f8c-d962-4744-b2da-99f7ad7953df.mspx
    (Search for "User Asymmetric Key Sizes".)
    Also Widows Server 2008 uses 2048-bit RSA key.
    http://technet2.microsoft.com/windowsserver2008/en/library/f843023b-bedd-40dd-9e5b-f1619eebf7821033.mspx?mfr=true
    Windos XP and previous versions use 1024-bit RSA key for that.
    This may be the cause of the problem.

    Sunday, July 29, 2007 6:57 AM
  • seems it can't cause problem, because I use the same key both in Vista and XP
    Monday, July 30, 2007 5:17 AM
  • How did you manage? I get the same problem, the files encrypted in Vista Ultimate are not readable on a XP Pro machine. From what I read from the posts here everybody else has the problem, so how did you solve it? Thanks

     

    Monday, August 6, 2007 7:33 AM
  • Wednesday, August 8, 2007 4:29 AM
  • lazy assholes, they admit there is problem, but "currently no solution available" - what were they doing all this time?
    Sunday, August 12, 2007 5:31 PM
  • I've queried MS on the issue and it doesn't sound like they're going to fix anything:

    Dear XXXX,


    Thank you for contacting Microsoft Customer Service Australia. My name is XXXX.


    As I understand it, before you purchase Windows Vista Ultimate you would like to know if the issue mentioned in Microsoft Support Article KB939391 will be addressed. If my interpretation is incorrect, please do let me know.


    XXXX, please be advised, I have escalated this enquiry to our escalations team for further assessment. Once I receive an update, I will reply to you immediately. The reference number for this enquiry is: XXXX


    Should you have further questions relating to other Microsoft products or services, please do not hesitate to let me know. I will be more than happy to assist you further.


    Alternatively, for immediate assistance, you can contact Microsoft Customer Service on 13 20 58 (Select Option 2 then select Option 1) from Monday to Friday, between 8am - 8pm.


    Thank you for contacting Microsoft.


    Kind regards,


    XXXX XXXX | Correspondence Representative | Microsoft Customer Service | Australia | Fax: +61 2 9870 2466


    Dear XXXX,


    Thank you for your patience.


    XXXX, firstly, we would like to thank you for your e-mail. It's so important for us to hear from customers using our products, so please continue to send us feedback on what we’re doing well and what we can improve.


    Based on broad customer and partner feedback, one of the key changes we made in Windows Vista is around making the PC experience more secure. By design, some of these changes affect the way our partners deliver solutions and consequently, the ways customers use their PCs and work with applications. This can lead to some customer challenges early on.


    Today, we know more about the customer experience with Windows Vista than ever before around key dimensions of performance, reliability etc. We can use anonymous data to help us triangulate the feedback we get from our call support centers, our OEM partners and other forms of customer feedback. That’s helped us shape and focus the work, so we have the maximum positive impact on customer experience, delivering constant updates over time.


    Please know that Microsoft is absolutely focused on delivering the best enterprise and consumer experience. We’ll always have more work to do, but we’re confident about delivering the best set of experiences for our customers and partners now and in the future.


    Again, thank you for your feedback.


    Kind regards,


    XXXX XXXX | Correspondence Representative | Microsoft Customer Service | Australia | Fax: +61 2 9870 2466


    Got to love canned responses that do not address specifically asked questions...


    This is a real issue. It means one cannot access files encrypted via Vista's EFS with any other MS OS despite having the correct certificates!
    Monday, October 29, 2007 4:01 AM
  • I was wondering whether you have yet found a solution for this problem.

     

    You will note also that the RC1 release of SP1 for Vista also seems to have problems in relations to backward compatability between the RTM build and itself.

     

    What ever is going on with this still doesnt seem to have been fixed.

     

    Anybody want to tell me otherwise - please.

    Saturday, December 22, 2007 12:14 PM
  • Any news about this now that SP1 is final?
    Wednesday, April 9, 2008 3:33 PM
  • I found that this issue was finally resolved by Vista SP1 and XP SP3.

     

    Cheers.

     

    Friday, May 9, 2008 2:29 PM