0

Reading the fine manual, I can copy and/or export all the required credentials to another Windows machine for import after exporting:

Figure 1: Exporting the Encrypting File System key

Right-click the certificate that you want to export, point to All Tasks, and then click Export, as shown in Figure 1. The Certificate Export Wizard opens.

Read the explanatory text on the first page of the wizard, and then click Next.

On the next page of the wizard, under Do you want to export the private key with the certificate?, select Yes, export the private key. This is important, because the private key is what you want to back up and delete in this process. Click Next.

then should be able decrypt files once the .pfx or PKCS#12 file is created?

These steps above can only be accomplished from Windows? My inclination is to use another Windows machine to export keys, just on the off chance there's a problem with the OS itself. I was going to mount a clone of the hdd with encrypted data from a known working OS.

The certs are self signed, not associated with a domain. Previous attempts with cipher.exe failed to decrypt, so starting over from step zero.

Rather than running rekeywiz.exe I'd like to export from another, external, machine.

see also:

http://www.hackingarticles.in/encrypting-file-system-efs-tutorial-beginners/

https://answers.microsoft.com/en-us/windows/forum/windows_vista-system/i-can-not-recovery-my-photoes-encrypted-by-efs/5ecb596e-a131-4707-8dba-e17881015809

How can I export a certificate from MMC as a PFX file?

Thufir
  • 1,808

1 Answers1

1

If the EFS key was automatically generated when you encrypted a file for the first time, you essentially must be logged on to the computer as the user that owns the key if you want to export the private key. (While being stored in the Personal key store, the key material is protected by a somewhat complex mechanism involving the user's password.) Therefore, you will almost certainly need to use certmgr.msc from within the original Windows environment. You don't need to delete the private key when exporting if you don't want to. If there is a tool that can navigate the stored key protection and get a PFX, though, that should work too.

Once you get the certificate/key exported, you can import the PFX into a different Windows installation, again using certmgr.msc. After the key is imported, your account on the new machine will be able to decrypt EFS files that were encrypted for that certificate. You can compare the thumbprint in the certificate details to that shown by cipher /c on an encrypted file to make sure you're exporting the correct key.

Ben N
  • 42,308