Encrypted File System Key Recovery

1
Encrypted File System Key Recovery

• Philip Noble
• (520) 538-7608 or DSN 879-7608,
• philip.e.noble.civ_at_mail.mil
• U.S. Army Information Systems Engineering
  Command
• Fort Huachuca, AZ 85613-5300
• 27 Jul 11

2
The Problem
The introduction of Microsofts Encrypted File
System has been a boon to file-level security
within the DoD. If a laptop is lost, critical
data such as HIPAA or PII is not readily
recoverable by the finder provided the sensitive
data was previously encrypted with either EFS or
Bit Locker. Certain versions of the current Army
operating system appear to be configured to
require the use of the users Common Access Card
(CAC) to encrypt the symmetrical session key that
physically encrypts the users files. When the
user has to get a new CAC, they discover that the
files are no longer accessible. Even after the
users old Email Encryption key is recovered, the
user cannot recover the encrypted files because
the user cannot use a software private key
because of security settings.
3
The Solution

• The solution is to either
• Install the software private key on a hardware
  token
• Request the responsible Key Recovery Agent
  decrypt the symmetrical key for the user
• Change the security settings to allow the use of
  a software private key.
• The simplest choice is to permit the use of a
  Software private Key

The following slides identify the procedure to
enable the use of a software key to recover
encrypted files.
4
Software EFS Recovery
http//technet.microsoft.com/en-us/library/cc74961
0(WS.10).aspx
Microsoft Technet discusses the Group Policy
Object that controls the use of hardware and
software keys for EFS. Use the Group Policy
Management Console (gpedit.msc) or the Local
Group Policy Editor (secpol.msc) to configure the
EFS options. To view or change the options,
expand the Public Key Policies node, right-click
Encrypting File System, and then click
Properties. The Policy in question is Require
a smart card for EFS - If enabled, software
certificates cannot be used for EFS. Set this
policy to disabled for use of a soft certificate
to recover an EFS file system.
5
Software EFS Recovery
Additional Notes 1. After the setting is
applied, the user may need to run "gpupdate.exe
/force" or reboot the platform to inherit the new
configuration.   2. The setting should only be
temporarily modified for recovery purposes and
then reset to require smart cards.   3. There is
also a known issue with some versions of the
enpasflt.dll and the import of the soft recovery
certs.
6
Software EFS Recovery

• To open encrypted files stored on a system
  partition after re-installing the operating
  system,
• follow the steps below to re-install your
  original certificate and key.
• Save the recovered Encryption key from the DISA
  ARA website
• Open Certificate Manager by clicking
  the Start button , typing certmgr.msc into
  the Search box, and then pressing ENTER.?
• Click the Personal folder.
• Click the Action menu, point to All Tasks, and
  then click Import. This opens the Certificate
  Import wizard.
• Click Next.
• Type the location of the file that contains the
  certificate, or click Browse and navigate to the
  file's location, and then click Next.
• If you have navigated to the right location but
  don't see the certificate you are importing,
  then, in the list next to the File name box,
  click Personal Information Exchange.
• Type the password, select the Mark this key as
  exportable check box, and then click Next.

7
POC for Additional Information
Philip E. Noble USAISEC Information Assurance
and Security Engineering Directorate (IASED) DSN
879-7608 CML 520-538-7608 FAX DSN 879-8709
CML 520-538-8709 philip.e.noble.civ_at_mail.mil
philip.noble_at_us.army.smil.mil philip.noble_at_conus
.army.smil.mil