ISEC: Excellence in Engineering Encrypted File System Key Recovery Philip Noble (520) or DSN , U.S. Army Information Systems Engineering Command Fort Huachuca, AZ Jul 11
ISEC: Excellence in Engineering The introduction of Microsofts Encrypted File System has been a boon to file- level security within the DoD. If a laptop is lost, critical data such as HIPAA or PII is not readily recoverable by the finder provided the sensitive data was previously encrypted with either EFS or Bit Locker. Certain versions of the current Army operating system appear to be configured to require the use of the users Common Access Card (CAC) to encrypt the symmetrical session key that physically encrypts the users files. When the user has to get a new CAC, they discover that the files are no longer accessible. Even after the users old Encryption key is recovered, the user cannot recover the encrypted files because the user cannot use a software private key because of security settings. The Problem:
ISEC: Excellence in Engineering The following slides identify the procedure to enable the use of a software key to recover encrypted files. The Solution: The solution is to either: Install the software private key on a hardware token Request the responsible Key Recovery Agent decrypt the symmetrical key for the user Change the security settings to allow the use of a software private key. The simplest choice is to permit the use of a Software private Key
ISEC: Excellence in Engineering us/library/cc749610(WS.10).aspx Microsoft Technet discusses the Group Policy Object that controls the use of hardware and software keys for EFS. Use the Group Policy Management Console (gpedit.msc) or the Local Group Policy Editor (secpol.msc) to configure the EFS options. To view or change the options, expand the Public Key Policies node, right-click Encrypting File System, and then click Properties. The Policy in question is: Require a smart card for EFS - If enabled, software certificates cannot be used for EFS. Set this policy to disabled for use of a soft certificate to recover an EFS file system. Software EFS Recovery
ISEC: Excellence in Engineering Additional Notes: 1. After the setting is applied, the user may need to run "gpupdate.exe /force" or reboot the platform to inherit the new configuration. 2. The setting should only be temporarily modified for recovery purposes and then reset to require smart cards. 3. There is also a known issue with some versions of the enpasflt.dll and the import of the soft recovery certs. Software EFS Recovery
ISEC: Excellence in Engineering Software EFS Recovery To open encrypted files stored on a system partition after re-installing the operating system, follow the steps below to re-install your original certificate and key. Save the recovered Encryption key from the DISA ARA website Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing ENTER. Click the Personal folder. Click the Action menu, point to All Tasks, and then click Import. This opens the Certificate Import wizard. Click Next. Type the location of the file that contains the certificate, or click Browse and navigate to the file's location, and then click Next. If you have navigated to the right location but don't see the certificate you are importing, then, in the list next to the File name box, click Personal Information Exchange. Type the password, select the Mark this key as exportable check box, and then click Next. Note Do not enable strong private key protection. Click Place all certificates in the following store, confirm that the Personal store is indicated, click Next, and then click Finish. After you import the certificate, shut down and restart your computer (not a reboot), you should have access to the encrypted files.
ISEC: Excellence in Engineering POC for Additional Information Philip E. Noble USAISEC Information Assurance and Security Engineering Directorate (IASED) DSN CML FAX DSN CML