Help with EFS

Thank you all for the interesting thread.

By the way, David, microsoft.public.security.crypto is not in my news
server, sorry.

Patrick Keenan wrote:


Yes. And at that point, it'd be a good idea to update the exported
credential disk.


While it is everything you all said enough clear, this point leave me a
doubt. I have tried exporting private key with the option "delete after
successful exportation", after this, successive exports are not
available, so I would ask what exactly you meant.

In fact, it is not clear, if the OS deletes private key after the
export, my doubt can be formulated such way (I am not saying it is not
my fault if I have still doubts): it can still decrypt the files
(without logging out, or changing password, or removing disks and so
on...) so that key should be somewhere else on the system... so what it
deleted?
In another words, ff "all the necessary stuff for decryption (whatever
this is)" remains on disk after removing that key after export, this
"necessary stuff" is still there if the disk is physically stolen... or not?


The same will happen if you boot with a Linux password-reset tool and change
it that way.

In fact, I am now a bit more secure about the disks removed without consent.
I do know utilities for resetting passwords with a physical disk with
installed Windows, but I do not know if there are similar programs for
virtual Windows installations over some *nix machine as many economic
ISP do for hosting.


I'd like to say it's great to hear that you are trying this out for yourself
on an expendable system rather than on real data.

(that site is core of company, that was obvious for good common sense
first...)


As to floppies - yes, XP wants to export to floppies, get a $20 external USB
floppy drive. It's a handy tool to have around.

That was humorous, I meant every site I visited (before this newsgroup)
said: store the key in a floppy, instead of "in a safe place" (an usb
key for example).


You need to continue to test so you understand what's happening, and examine
privacy legislation in your area to see what is legally required and what
other companies do to comply with it. You also need to deal with the
physical access issue, as well as secure and current backups. Be sure
you can restore them to another system.

Actually it is easy that the legal requirements are different from
technical ones, so when I am sure of a work I leave details to the
company lawyer. I mean, if I can be sincere, I do not care so much of
the LEGAL stuff, in front of the ILLEGAL stuff, like corrupt ISP
employess lending disk images to another company, laptops with sensitive
data forgotten on a taxi, or sold and found on ebay...

So I think it is a lucky thing my new comapny choose an economic ISP
without automated backup service, otherwise even if I encrypt now, maybe
old unencrypted backup copies still exist somewhere in the ISP building!
(better than nothing, for a thief)

As for recovery, I never meant to rely of EFS for it. I backup data
unencrypted and I crypt them with third part utility, I trust more, not
for the raw level of encryption, but for these many dark details we are
discussing here.
EFS is just the first tool I wanted try for protection "on the fly", if
the original disk is stolen or destroyed it is not a big issue using a 2
day old backup, compared with the disclosure of the database content.


Again, thx to all.

snipped

h128 wrote:
snipped
By the way, David, microsoft.public.security.crypto is not in my
news server, sorry.

For Microsoft related newsgroups - you should likely point your newsreader
to news.microsoft.com or msnews.microsoft.com (as the server.) It's your
best choice for reading Microsoft Newsgroups.

http://www.microsoft.com/communities.../nntpnews.mspx

Good Luck!

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html