Troubleshooting Many of the issues with EFS-encrypted files boil down to one: Encryption keys must be archived. Without a valid private key from a key pair used to encrypt the FEK, file decryption is impossible. If a recovery agent exists, then its keys may be used to recover the files, but the existence of the recovery agent keys cannot be assumed.Other issues with encrypting files include issues that result from not understanding how EFS works (in which case system files cannot be encrypted, and password resets in Windows XP Professional and above prevent the user from decrypting files he has encrypted) or things such as access denied errors during antivirus scans (the antivirus product can only check the files that are encrypted by the logged on user) or changes in encryption strength. (If a file is encrypted on XP Professional Service Pack 1, AES is used; you cannot decrypt it on a Windows 2000 system.) Additional reasons for problems include the following:A profile is overwritten and the user's encryption keys are no longer available.Sysprep is used on a production machine and EFS is re-enabled or keys are changed so they can no longer be used to decrypt encrypted files.Autoexec.bat gets encrypted, and because it is needed before log on, the log on process hangs.A dual-boot machine is used, so the user loses access to encrypted files when logged on to a different OS than the one used during encryption.Encrypting temporary folders of some applications can result in the application not starting.Mandatory profiles cannot store encryption keys; access to encrypted files is lost when the user logs off and logs back on again.
|