|
Posted by =?Utf-8?B?TWlrZSBTY2htZWl0eg== on January 12, 2007, 4:49 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Unfortunately it is not possible to export our private keys :-(
I guess there is no other way than to decrypt en recrypt the files.
Greetz,
Mike
"Brian Komar [MVP]" wrote:
> MikeSchmeitz@discussions.microsoft.com says...
> > Hi,
> >
> > Want to move Workstation to another forest. Workstation contains EFS
> > encrypted files. What would be the best automated and safest way to keep EFS
> > encryped (local) files available to users after migration. Both forest have
> > their own CA root.
> >
> > in other words:
> > User1@domain1 has encrypted files on D: drive
> > Workstation and user is migrated to domain2 in a different forest
> > Trusts are available between the domains
> > Different CA's are used for both forests
> > User1@domain2 wants to get access to his encrypted files on D: drive
> >
> > - Would it be possible to add User1@domain2 before migration of WKS to other
> > domain? (This would mean that decryption can be done by user1@domain1,
> > user1@domain2 and the efs recovery agent)
> > - Is the only way to do this, by decrypting all files, migrating, and then
> > start a re-encryption with new certificate of user1@domain2?
> >
> > Greetz,
> >
> > Mike
> >
> >
> Two alternatives exist...
> 1) You could proceed with the decryption, and re-encrytion...
> 2) Another way is to do the following:
> - Have the user export their existing EFS certificate to a PFX file
> - Move the account to the new forest
> - Have the user log on with the new credentials, creating the new user profile
> - Issue the user a new EFS certificate and have them encryption a new file
(establishing the
> new EFS certificate as the default EFS certificate). This certificate would be
issued by the
> CA in the new forest
> - Import the old EFS certificate exported in the first step
>
> This configuration allows the user to open previously encrypted files (they
have teh private
> key needed to decrypt the FEK). Also, when they save the file, the FEK is
re-encrypted with
> the user's new EFS private key.
>
> They can also run "cipher /U" at this point to update the user encryption key
to their new
> encryption key against all files on the local drive.
>
> So to summarize.
> 1) export the user's current EFS private key (cipher /X)
> 2) move user and computer account to new forest
> 3) Log on with new account
> 4) Import EFS certificate into new account
> 5) cipher /U
>
> Brian
>
| 
XML site map