none
EFS private key in active directory?

    Question

  • Where is the private key stored for EFS in active directory?  I'm guessing it's stored in AD because I can login to one machine as UserA, encrypt a file on a network share, then login as UserA on a different machine and read the file.

    Also, how do you keep it from being stored in AD?  When creating the template I unchecked the box that says "Publish certificate in Active Directory".  So, I don't see anything in the userCertificate attribute of the user but where is the private key?

    Monday, April 18, 2011 4:27 PM

Answers

  • By default private keys are never stored in AD. The only way to store them in AD is to implement Credential Roaming Service. In your case when you encrypt a file on a network share your user profile is loaded on remote machine and a file is encrypted there (no local resources and certificates are used). Remote server must be trusted for delegation (if a remote computer is domain controller, it is trusted for delegation by default).


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    • Marked as answer by snickered Monday, April 18, 2011 6:18 PM
    Monday, April 18, 2011 5:03 PM

All replies

  • By default private keys are never stored in AD. The only way to store them in AD is to implement Credential Roaming Service. In your case when you encrypt a file on a network share your user profile is loaded on remote machine and a file is encrypted there (no local resources and certificates are used). Remote server must be trusted for delegation (if a remote computer is domain controller, it is trusted for delegation by default).


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    • Marked as answer by snickered Monday, April 18, 2011 6:18 PM
    Monday, April 18, 2011 5:03 PM
  • I can't believe I didn't notice the profile on the remote machine (which is a DC).  Thanks Vadims.
    Monday, April 18, 2011 6:19 PM