Answers to this quandary, and how I found/derived them below.
Third-party certification authority support for encrypting file system
Encrypting File System in Windows XP and Windows Server 2003
There are two ways to do this: makecert.exe and using openssl.
The easy way
The easiest is with makecert.exe, but that doens’t provide you with a trusted cert. Our departmental CA runs on Solaris and uses OpenSSL.
Chris Blankenship’s post “How to Pre-Create an EFS Certificate”
Downloaded makecert.exe from here
Below are the makecert options that I use to create certificates compatible with EFS and File Recover. Many thanks to Chris Blankenship’s post (see link above).
For the users:
makecert.exe -n “CN=User Name,OU=Computer Science,O=Texas A&M University,L=College Station,S=TX,C=US” -pe -sky exchange -m 96 -a sha1 -eku 126.96.36.199.4.1.3188.8.131.52 -len 1024 -m 1200 User_EFS.cer
For the admins:
makecert.exe -n “CN=Admin Name,OU=Computer Science,O=Texas A&M University,L=College Station,S=TX,C=US” -pe -sky exchange -m 96 -a sha1 -eku 184.108.40.206.4.1.3220.127.116.11.1,18.104.22.168.4.1.322.214.171.124 -len 1024 -m 1200 EFS_and_Recovery.cer
The way I do it
I already have a trused Certificate Authority (OpenSSL on UNIX), so my original goal was to create a EFS and File Recovery certificate using the existing CA. This method can also be used to generate certificates in Windows using OpenSSL. OpenSSL binaries for Windows can be found here.
The following 3 lines are the OpenSSL commands for generating the certificate. Andy Echols figured this out for me, I don’t claim to have those skills. The pcks12 format includes public and private keys for the certificate, and is easy to import and use in Windows.
- openssl req -new -days 365 -nodes -keyout Finished/username-key.pem -out Meta/username-req.pem -config Meta/efs-fr.cnf
- openssl ca -policy policy_anything -in Meta/username-req.pem -out Finished/username-crt.pem -extfile Meta/efs-fr.cnf
- openssl pkcs12 -export -in Finished/username-crt.pem -inkey Finished/username-key.pem -certfile cacert.pem -out Finished/username.p12
The Meta/efs-fr.cnf config file is below.
extensions = exts [ exts ] extendedKeyUsage = 126.96.36.199.4.1.3188.8.131.52,184.108.40.206.4.1.3220.127.116.11.1 [ req ] default_bits = 1024 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] C = US ST = Texas L = College Station O = Texas A&M University OU = Awesome CN = User Name emailAddress = email@example.com
Final steps for creating a recovery agent
1. Import your cert
- Log into a domain controller as an Enterprise Administrator (I’ll use FRuser for this example)
- Import your File Recovery certificate
- Verify the import worked and the certificate shows the File Recovery property in the Enhanced Key Usage (see image above). Verification steps: start -> run -> mmc -> OK -> File -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Close -> OK -> expand Certificates – Current User -> Personal -> Certificates -> double-click the name of the certificate you just imported -> click the Details tab -> select the Enhanced Key Usage line and verify “File Recovery” shows up (like the image above).
2. Assign your cert to your user
- Open Active Directory Users and Computers
- Open the properties for your user
- Click the Published Certificates tab. If you don’t see this tab. Click View -> Advanced Features in the Active Directory Users and Computers window.
- Click the Add from Store button
- Select your File Recovery certificate and click the “View Certificate” button to make sure you selected the right one
- Click OK in the Select Certificate window to add the cert to Published Certificates
3. Add yourself as a recovery agent for the domain
- In Active Directory Users and Computers, right-click the domain (or a test OU) and select properties
- Click the Group Policy tab and edit the Default Domain Policy
- Drill down to the EFS folder (Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Encrypting File System)
- Right-click the Encrypting File System folder and select Add Data Recovery Agent…
- In the wizard, click Next to skip the intro -> Browse Directory -> search for your username -> select your username from the results -> OK. You will also have to click “Yes” to say you understand that “Windows cannot determine if this certificate has been revoked.” This message is displayed because you are using a non-Microsoft CA. Click Next -> Finish
- You should now see your certificate in the GPO
4. Testing EFS & File Recovery
- Log on to a domain workstation as a regular user (non-domain admin)
- Create a new folder on your desktop called efs_test
- Right-click the folder -> properties -> Advanced -> check the box “Encrypt contents to secure data” -> OK -> OK
- If you get an error, you may need to run gpupdate on your workstation to make sure the GPO created in the previous section is effective
- After encrypting the folder, create a new text file in the folder and type a few lines, save the file and log out.
- Log into the workstation as the File Recovery user.
- Import your File Recovery certificate and private key. This is critical! The file was encrypted using public keys from the regular user and from the File Recovery user. The file is decrypted using the private key, so that must be imported on the local machine for the FR user.
- You should now be able to go into the user’s folder and read the encrypted file.
- Running gpresult from the command line on the workstation can help troubleshoot GP issues, especially if you added a new GPO that conflicts with the Default Domain Policy.
If any comments to this post result in valueable troubleshooting steps, I’ll be sure to post those here.
A grahical illustration of how Windows encryption and file recovery works can be found here.