Question : Encrypt file on XP and Decrypt on Server 2003, some users work group some on domain

I have a bit of a situation here. I am cleaning up a mess from a previous admin. Here is the situation:

We have about 30 xp pro laptops that are offsite. 20 of them are in a workgroup configuration, 10 of them are donnected to the domain. All of the workstations have a folder under the root of the C drive that is encrypted. Tif documents on the computer are zipped up and placed inside this encrypted folder therefore encrypting the zip files. The users would then connect via VPN to the network and transfer the files via SMB to the server. The server would then decrypt the ZIP files using the following command:

cipher /d /i /a c:\remotereps\*.zip

(c:\remotereps is the local path on the server where the users would upload thier zip files)

All of this was working fine (which I cannot figure out how this worked to begin with). All of this was done by a previous admin who I cannot contact.
Keep in mind this scenario above was working for computer ON AND OFF the domain.

One day we started getting errors while trying to encrypt folders on remote laptops that were joined to the domain. I then created a proper encryption certificate, adjusted group policy to use this certificate and was able to encrypt folders on laptops again.

After i did that i was not able to decrypt files from computers that are not joined to the domain but any computer that is on the domain I can decrypt the work just fine.

My question is how can I get all the computers to be able to send thier work up again and be decrypted by the server?

I guess if I knew how it was working in the first place before I created the new certificate I might be able to fix it but i have NO IDEA how it was working before. There are no recovery certificates on the server, nothing. I actually moved the folder, contents and pointed the end users to a breand new server and it never had a problem decrypting files. This, to me, sounds like the files were encrypted in a way that ANY computer running xp or better would be able to decrypt the files.

On the workstations, when they are setup, they folders are encrypted as follows:

cipher /E /F /S:c:\bscan

It is done under the users LOCAL login account yet it could still be decrypted on the server (until I made the changes stated above of course).

There are no certificates imported to the workstations, nothing. Help would be GREAT!!

Answer : Encrypt file on XP and Decrypt on Server 2003, some users work group some on domain

cipher is a MS built in app...

Hopefully the transfer is being done over a WebDAV share if you are using standard windows file sharing, otherwise you might want to look into that or FTP/SSH (sftp) or FTP/SSL (ftps) or something else to protect the data across the wire.

Anyways...

Here's the EFS crash course for admins:
http://technet.microsoft.com/en-us/library/bb457020.aspx

Not sure what cert(s) got updated - I'm guessing the Data Recovery Agent (DRA)? If that's the case try looking at the local security policy (secpol.msc) - public key policy -and see if there is a DRA policy defined there and if so update that. You'll probably also want to install the certificate (from the .cer file, not .pfx) on each workstation as well - when installing choose to manually select the store, then when browsing checkmark the 'show physical stores' then expand Personal - Local computer

Afterwards you will need to run this command under each user context that has a valid efs cert on that box:
cipher /u
This will go through and update the efs certs for every efs encrypted file to use the new efs certs. This should be done regardless of if was the user's efs cert or if it was the DRA cert.

Since you are copying to the server, you will need to do the same on the server - since things are working for domain members this is why I'm assuming is probably the DRA that you updated via GPO?

If there wasn't a DRA then its not too late to start using one. Technically this is best issued from your CA and valid for about 5 years for a 2048 key strength. Issue to a specially created DRA account (don't use the domain admin or anyone else you may want to encrypt data with...) export the issued cert with the private key and back that up on flash drive or cd locked up - make a backup copy for offsite. That being said, many choose to to use cipher /r filename instead which will create a 99 year cert with the .cer and .pfx files already - again backup and lock up the .pfx file. In either case, delete the .pfx after backing up and validating it copied correctly.

If there's anything you're not sure of just let me know.

Random Solutions

Delphi 'LIKE' DateTime filter

Create time range and add user hours to that time range

Blackberry device stopped synching after mailbox move

get last 4 digit

jQuery dialog positioning problem

I need to change the color of a DataGridView scrollbar in C# WinForms

TempDB N # of CPU's

check_directory_files

MS exchange 2010

Backup jobs in Symantec Backup Exec 11d keep failing (due to lack of free space on destination drive, I believe). How can I fix this? The job logs have been attached