Back Up Your Fuile Encryption Certificate and Key

How to Back Up Encrypted Files

When backing up user data on a Windows PC, check with user on if they have somewhere other than their user or documents folder to save their data.

Ask user if they have encrypted any files or folders.  If the users indicate they have encrypted files ask if they know the method and where the files are located, including whether any copies were moved to flash drives or external devices.  Some common tools would be AES Crypt, Bitlocker or Windows File Encryption.

Even if user does not believe they have any encrypted files, check user folders and files through Windows Explorer and take note if any file/folder names are green as that indicates file encryption through Windows EFS.

If system is a Surface make sure to check in Settings > System > About and make certain Device Encryption is turned off.  If turned on, it is recommended to decrypt device through local administrator account by switching this option off prior to making backup.

If system is a Mac, the user would need to be using 3^rd party apps or creating encrypted folders using disk utility (or just setting the password options on individual documents).

For the Windows PC, however, a more thorough search can be done for drives or specific folders that may have been encrypted with EFS by using nirsoft.net/utils/searchmyfiles-x64.zip and selecting the option for Encrypted File Attributes > Yes

SearchMyFiles can be downloaded from http://www.nirsoft.net/utils/search_my_files.html.

If user identifies encrypted files, or encrypted files are found through one of the search methods, then reformat should not be done until the encryption is dealt with first.

Anything encrypted through AESCrypt even files moved to removable media or external devices should be accessible so long as the user has the password.

If Bitlocker encryption has been used then we need to ensure the system is decrypted, and/or the user has the password or the recovery key on either a Microsoft account, external drive or printed out and available – otherwise a complete format and repartitioning of the drive should wipe out the bitlocker encryption.  Files copied from a bitlocker encrypted drive should automatically be decrypted when copied to another location for backup purposes; however, if the user also has bitlocker encrypted flash drives or other external drives we need to be certain they have their passwords and recovery keys for those also.

For EFS encrypted files and folders, they should be decrypted before being moved to another device (such as our OET backup drive) which can be done by unchecking Properties > Advanced > Encrypt contents to secure data checkbox.  This also should be done for any files they may have moved to a flash drive or other external device as the encryption is specific to the user and Windows SIDs.

Even if no encrypted files have been identified by the user or found during the search, before moving forward with a reformat any user encryption certificate should be exported and kept on our OET backup along with their files.  And if encrypted files have been identified, they should be decrypted first before moving them.

To export a user's EFS certificate you must login as the user, and go into the Windows Control Panel and search for "certificate".  You also can search in the Windows search or Cortana's search box for certmgr.msc.  Manage User Certificates through Settings Search or Run > certmgr.msc

Once the Certificate Management opens, select Personal > Certificates in the Certificate tree and locate the certificate(s) where the 'Intended Purposes' column identifies Encrypting File System.

(Be careful when looking for the control panel that you are not in the slightly different control panel Manage Computer Certificates – certlm.msc as you will not have the same export options for private keys and won't see the Personal certificates but then have to drill down to other people to see the user certificates).

Select Action > All Tasks > Export or Right click on the EFS certificate and go to All Tasks > Export.  This will open the Certificate Export Wizard.  Select Next, then switch to the option to 'Yes, export the private key'

Click Next and leave the option on the default Personal Information Exchange (.PFX) and click next again.

Then select the security option for password.  Then enter and confirm a password easy to remember.  If both groups and password are checked you will receive the export failed error message at the end of the process.

Then enter a filename for the certificate key backup which corresponds to the user

Click next again, then Finish and you will get a confirmation of the export so long as everything goes well.

Make sure to copy the exported key file along with any user data backups.

If no certificates are shown when starting the certmgr, then we are either under the wrong ID or no EFS encryption has been used.

When restoring the backup of the user data, the EFS backup key file will need to be imported to the user profile once created again through the use of certmgr.  You know you have the right kind of file when if you double click on it the Certifcate Import Wizard launches.  Once you select the file in the import wizard you will have to enter the password created during the key export proces and it is recommended to select the option to make the key exportable.

Back Up Your Fuile Encryption Certificate and Key

Source: https://www.oet.udel.edu/techies/back-encrypted-files/

Share this post