Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Conformity

Encrypting File System

advertisement 
Encrypted File System
Key Recovery
Philip Noble
(520) 538-7608 or DSN 879-7608,
philip.e.noble.civ@mail.mil
U.S. Army Information Systems Engineering Command
Fort Huachuca, AZ 85613-5300
27 Jul 11
ISEC: Excellence in Engineering
The Problem:
The introduction of Microsoft’s Encrypted File System has been a boon to filelevel security within the DoD. If a laptop is lost, critical data such as HIPAA or
PII is not readily recoverable by the finder provided the sensitive data was
previously encrypted with either EFS or Bit Locker. Certain versions of the
current Army operating system appear to be configured to require the use of
the user’s Common Access Card (CAC) to encrypt the symmetrical session key
that physically encrypts the user’s files. When the user has to get a new CAC,
they discover that the files are no longer accessible. Even after the user’s old
Email Encryption key is recovered, the user cannot recover the encrypted files
because the user cannot use a software private key because of security settings.
ISEC: Excellence in Engineering
The Solution:
The solution is to either:
•Install the software private key on a hardware token
•Request the responsible Key Recovery Agent decrypt the symmetrical key for the user
•Change the security settings to allow the use of a software private key.
The simplest choice is to permit the use of a Software private Key
The following slides identify the procedure to enable
the use of a software key to recover encrypted files.
ISEC: Excellence in Engineering
Software EFS Recovery
http://technet.microsoft.com/enus/library/cc749610(WS.10).aspx
Microsoft Technet discusses the Group Policy Object that controls
the use of hardware and software keys for EFS.
Use the Group Policy Management Console (gpedit.msc) or the Local
Group Policy Editor (secpol.msc) to configure the EFS options. To
view or change the options, expand the Public Key Policies node,
right-click Encrypting File System, and then click Properties.
The Policy in question is: Require a smart card for EFS - If enabled,
software certificates cannot be used for EFS.
Set this policy to disabled for use of a soft certificate to recover an
EFS file system.
ISEC: Excellence in Engineering
Software EFS Recovery
Additional Notes:
1. After the setting is applied, the user may need to run "gpupdate.exe
/force" or reboot the platform to inherit the new configuration.
2. The setting should only be temporarily modified for recovery
purposes and then reset to require smart cards.
3. There is also a known issue with some versions of the enpasflt.dll
and the import of the soft recovery certs.
ISEC: Excellence in Engineering
Software EFS Recovery
To open encrypted files stored on a system partition after re-installing the operating system,
follow the steps below to re-install your original certificate and key.
•Save the recovered Encryption key from the DISA ARA website
•Open Certificate Manager by clicking the Start button , typing certmgr.msc into the Search box, and then pressing
ENTER.
•Click the Personal folder.
•Click the Action menu, point to All Tasks, and then click Import. This opens the Certificate Import wizard.
•Click Next.
•Type the location of the file that contains the certificate, or click Browse and navigate to the file's location, and then
click Next.
If you have navigated to the right location but don't see the certificate you are importing, then, in the list next to the File
name box, click Personal Information Exchange.
•Type the password, select the Mark this key as exportable check box, and then click Next.
Note
Do not enable strong private key protection.
•Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then
click Finish.
After you import the certificate, shut down and restart your computer (not a reboot), you should have access to the encrypted
files.
ISEC: Excellence in Engineering
POC for Additional Information
Philip E. Noble
USAISEC
Information Assurance and Security
Engineering Directorate (IASED)
DSN 879-7608
CML 520-538-7608
FAX DSN 879-8709 CML 520-538-8709
philip.e.noble.civ@mail.mil
philip.noble@us.army.smil.mil
philip.noble@conus.army.smil.mil
ISEC: Excellence in Engineering
Related documents
We are providing project oriented Software testing Training which
We are providing project oriented Software testing Training which
EFS
EFS
PowerPoint
PowerPoint
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
Exploration with the concepts of service design
Exploration with the concepts of service design
Journal on Excellence in College Teaching
Journal on Excellence in College Teaching
Encrypting File System - Computing Infrastructure Services
Encrypting File System - Computing Infrastructure Services
8.3_NTFS-Encryption
8.3_NTFS-Encryption
APPENDIX: EFS IN HUMANITIES
APPENDIX: EFS IN HUMANITIES
tpj12467-sup-0009-Legends
tpj12467-sup-0009-Legends
ADVANTAGES AND DISADVANTAGES OF EFS AND
ADVANTAGES AND DISADVANTAGES OF EFS AND
Understanding Security Threats to Mobile Computers
Understanding Security Threats to Mobile Computers
Configuring and Troubleshooting Access to Encrypted Resources
Configuring and Troubleshooting Access to Encrypted Resources
Data Recovery Using EFS
Data Recovery Using EFS
EFS Recovery Information
EFS Recovery Information
Download
advertisement