Anti-Spyware Forums


Reply
Thread Tools Display Modes

How to Copy EFS(encrypted) Files....

 
 
kea
Guest
Posts: n/a

 
      06-12-2005, 06:56 PM
Very good info and I will do some more reading. I am not concerned with how
it goes over the wire at all. I am concerned how its lands.
If I do any kind of copy, yes the file shows and Not Encrypted. But If I use
NTbackup, and create a back file onto from one machine to another, and
restore the files to the new machine, the files maintain their encryption. I
am not concerned that they cannot be opened as I have something to migrate
the cert.

I want to copy files without them landing decrypted on the new machine.
Workstation to Workstation that is. IF you do a copy and allow the
decryption then the copy takes an hour per gig almost. It should be a efw
minutes.
I will do some more research.

Again if I copy and paste files from one workstation to another, XP to XP,
the file is decrypted. Perhaps you are saying that WebDav can help?
I may play around with it.

Thanks
 
Reply With Quote
 
 
 
 
David Davis
Guest
Posts: n/a

 
      05-01-2006, 01:17 AM
WebDav simply provides a means by which you can secure the transmission via
SSL. Really the only way to move the files across the wire without having
them decrypted and re-encrypted is using a imaging software such as Symantec
Ghost. By imaging the file you are not actually "opening" the file thereby
leaving it intact. Also for the key export you may want to consider using the
Cipher /R command to export the key to an importable .pfx file. It is built
in functionality within XP
--
David Davis [MCSE, CCNA, Security +]



"kea" wrote:

> Very good info and I will do some more reading. I am not concerned with how
> it goes over the wire at all. I am concerned how its lands.
> If I do any kind of copy, yes the file shows and Not Encrypted. But If I use
> NTbackup, and create a back file onto from one machine to another, and
> restore the files to the new machine, the files maintain their encryption. I
> am not concerned that they cannot be opened as I have something to migrate
> the cert.
>
> I want to copy files without them landing decrypted on the new machine.
> Workstation to Workstation that is. IF you do a copy and allow the
> decryption then the copy takes an hour per gig almost. It should be a efw
> minutes.
> I will do some more research.
>
> Again if I copy and paste files from one workstation to another, XP to XP,
> the file is decrypted. Perhaps you are saying that WebDav can help?
> I may play around with it.
>
> Thanks

 
Reply With Quote
 
 
 
 
Paul Adare
Guest
Posts: n/a

 
      05-01-2006, 09:40 AM
In article <(E-Mail Removed)>, in the
microsoft.public.security news group, =?Utf-8?B?RGF2aWQgRGF2aXM=?=
<(E-Mail Removed)> says...

> WebDav simply provides a means by which you can secure the transmission via
> SSL.
>


This actually is not true. The benefit of using WebDAV to transfer EFS
encrypted files to a remote server is that the files are copied in their
RAW, fully encrypted format. This is why when you use WebDAV you won't
see a profile created on the remote system for the user doing the
copying and is also why the WebDAV server doesn't need to be trusted for
delegation. The main problem with using WebDAV is that unless you're
using roaming user profiles or DIMS, the user will only be able to
decrypt files on the WebDAV server from the computer that they
originally copied the files from. That will be the only computer that
has the user's certificate and key pair on it.

This behaviour will change with Vista and Longhorn. With that
combination you will not need WebDAV. All encryption and decryption will
occur on the client side even when using CIFS shares.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Ca∑nadi∑an (k-nd-n) adj. & n.
n: An educated, unarmed American with health care.
 
Reply With Quote
 
David Davis
Guest
Posts: n/a

 
      05-01-2006, 01:12 PM
Unless I am missing something here:
http://www.microsoft.com/technet/sec.../efs.mspx#EJAA

Under the section: Remote Storage of Encrypted Files Using SMB File Shares
and WebDAV

It states: "If encrypted files are going to be stored on a remote server,
the server must be configured to do so, and an alternative method, such as IP
Security (IPSec) or Secure Sockets Layer (SSL), should be used to protect the
files during transport."

This implies that, during transport, files are still decrypted. Using WEBdav
allows remote users to "access" encrypted files over the web via
authentication.

Howeve If you have different documentation please forward to me. It is
definately worth confirming which scenario is true.

--
David Davis [MCSE, CCNA, Security +]



"Paul Adare" wrote:

> In article <(E-Mail Removed)>, in the
> microsoft.public.security news group, =?Utf-8?B?RGF2aWQgRGF2aXM=?=
> <(E-Mail Removed)> says...
>
> > WebDav simply provides a means by which you can secure the transmission via
> > SSL.
> >

>
> This actually is not true. The benefit of using WebDAV to transfer EFS
> encrypted files to a remote server is that the files are copied in their
> RAW, fully encrypted format. This is why when you use WebDAV you won't
> see a profile created on the remote system for the user doing the
> copying and is also why the WebDAV server doesn't need to be trusted for
> delegation. The main problem with using WebDAV is that unless you're
> using roaming user profiles or DIMS, the user will only be able to
> decrypt files on the WebDAV server from the computer that they
> originally copied the files from. That will be the only computer that
> has the user's certificate and key pair on it.
>
> This behaviour will change with Vista and Longhorn. With that
> combination you will not need WebDAV. All encryption and decryption will
> occur on the client side even when using CIFS shares.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> Ca·nadi·an (k-nd-n) adj. & n.
> n: An educated, unarmed American with health care.
>

 
Reply With Quote
 
Paul Adare
Guest
Posts: n/a

 
      05-01-2006, 01:41 PM
In article <(E-Mail Removed)>, in the
microsoft.public.security news group, =?Utf-8?B?RGF2aWQgRGF2aXM=?=
<(E-Mail Removed)> says...

> Unless I am missing something here:
> http://www.microsoft.com/technet/sec.../efs.mspx#EJAA


While hosted on a Microsoft web site, this article was not written by
Microsoft. While I have a lot of respect for Roberta you need to keep
this in mind.

>
> Under the section: Remote Storage of Encrypted Files Using SMB File Shares
> and WebDAV
>
> It states: "If encrypted files are going to be stored on a remote server,
> the server must be configured to do so, and an alternative method, such as IP
> Security (IPSec) or Secure Sockets Layer (SSL), should be used to protect the
> files during transport."
>
> This implies that, during transport, files are still decrypted.


This only applies to CIFS/SMB and not WebDAV regardless of the section
heading.

> Using WEBdav
> allows remote users to "access" encrypted files over the web via
> authentication.


No, you're not understanding how the WebDAV protocol works here nor how
it works with EFS.

Try this simple experiment. Encrypt a file locally and then copy it to a
WebDAV share. Logon locally to the server hosting the WebDAV share as
the user who originally encrypted the file and try to decrypt it. You'll
fail to do so as unlike the CIFS/SMB scenario the file is not decrypted
and then re-encryoted at the destination, which causes a user profile to
be created on the remote server which contains the EFS certificate and
key pair used to perform the encryption on the remote SMB/CIFS server.

>
> Howeve If you have different documentation please forward to me. It is
> definately worth confirming which scenario is true.


There's tons of documentation on EFS over WebDAV on the Microsoft web
site that will confirm how it actually works as opposed to how you think
it works.

Here's just one simple example:

http://www.microsoft.com/technet/pro...oy/cryptfs.msp
x

or

http://tinyurl.com/576kx

In the EFS Enhancements in Windows XP and Windows Server 2003 section
read the fourth bullet from the bottom of the list.


--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
Ca∑nadi∑an (k-nd-n) adj. & n.
n: An educated, unarmed American with health care.
 
Reply With Quote
 
David Davis
Guest
Posts: n/a

 
      05-01-2006, 02:46 PM
Ok found it. I stand corrected. However there is still an inherent
limitation. EFS over WebDAV is limited to 400 MB file size. This is where I
was hitting a wall, I was attempting to move some OS image files as a test
that are 1 gig plus.

There does still seem to be some latency inherent when using WebDAV, it
should be faster than waiting for the decrypt / re-encrypt however it will
still be somewhat slow. As Kea will have to transfer the files to a WebDAV
location from the source machine and then turn around and download them to
the destination machine.

Thanks for the links. I pasted the verbage below:

EFS with WebDAV Folders
The Windows XP client supports a new method for encrypting files to remote
servers through a protocol known as WebDAV. When the Windows XP client maps a
drive to a WebDAV access point on a remote server, files may be encrypted
locally on the client and then transmitted as a raw encrypted file to the
WebDAV server using an HTTP PUT command. Similarly, encrypted files
downloaded to a Windows XP client are transmitted as raw encrypted files and
decrypted locally on the client using an HTTP GET command. The temporary
internet files location is used for intermediate transfer of the files using
HTTP where the WebDAV "proppatch" and "propfind" verbs are used to detect and
set the encrypted file attribute for Windows XP. Therefore, only public and
private key pairs on the client are ever used in encrypting files.

The WebDAV redirector is a new mini-redirector that supports the WebDAV
protocol for remote document sharing using hypertext transfer protocol
(HTTP). The WebDAV redirector supports the use of existing applications, and
it allows file sharing across the Internet (through firewalls, routers, etc.)
to HTTP servers. Both Internet Information Server (IIS) 5.0 (Windows 2000)
and IIS 6.0 (Windows Server 2003) support WebDAV folders known as Web
folders. The WebDAV re-director does have some general limits on the file
that may be transmitted using the WebDAV protocol. The actual limitation may
vary dependent on the amount of virtual memory available, but in general 400
megabytes is the maximum file size that may be used in Windows XP with EFS
over WebDAV.


--
David Davis [MCSE, CCNA, Security +]



"Paul Adare" wrote:

> In article <(E-Mail Removed)>, in the
> microsoft.public.security news group, =?Utf-8?B?RGF2aWQgRGF2aXM=?=
> <(E-Mail Removed)> says...
>
> > Unless I am missing something here:
> > http://www.microsoft.com/technet/sec.../efs.mspx#EJAA

>
> While hosted on a Microsoft web site, this article was not written by
> Microsoft. While I have a lot of respect for Roberta you need to keep
> this in mind.
>
> >
> > Under the section: Remote Storage of Encrypted Files Using SMB File Shares
> > and WebDAV
> >
> > It states: "If encrypted files are going to be stored on a remote server,
> > the server must be configured to do so, and an alternative method, such as IP
> > Security (IPSec) or Secure Sockets Layer (SSL), should be used to protect the
> > files during transport."
> >
> > This implies that, during transport, files are still decrypted.

>
> This only applies to CIFS/SMB and not WebDAV regardless of the section
> heading.
>
> > Using WEBdav
> > allows remote users to "access" encrypted files over the web via
> > authentication.

>
> No, you're not understanding how the WebDAV protocol works here nor how
> it works with EFS.
>
> Try this simple experiment. Encrypt a file locally and then copy it to a
> WebDAV share. Logon locally to the server hosting the WebDAV share as
> the user who originally encrypted the file and try to decrypt it. You'll
> fail to do so as unlike the CIFS/SMB scenario the file is not decrypted
> and then re-encryoted at the destination, which causes a user profile to
> be created on the remote server which contains the EFS certificate and
> key pair used to perform the encryption on the remote SMB/CIFS server.
>
> >
> > Howeve If you have different documentation please forward to me. It is
> > definately worth confirming which scenario is true.

>
> There's tons of documentation on EFS over WebDAV on the Microsoft web
> site that will confirm how it actually works as opposed to how you think
> it works.
>
> Here's just one simple example:
>
> http://www.microsoft.com/technet/pro...oy/cryptfs.msp
> x
>
> or
>
> http://tinyurl.com/576kx
>
> In the EFS Enhancements in Windows XP and Windows Server 2003 section
> read the fourth bullet from the bottom of the list.
>
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> Ca·nadi·an (k-nd-n) adj. & n.
> n: An educated, unarmed American with health care.
>

 
Reply With Quote
 
Talon
Guest
Posts: n/a

 
      10-01-2006, 06:43 PM
All good info. But no answer to the problem unfortunately.
A file copy 1 physcial drive to another on the same machine maintains
encryption and does not apparently decrypt then re-encrypt.
This can be discerned by the fact that no additional time is measure on the
copy.
It the same a a copy without encryption.
If I take a crossver cable between to Windows XP machine and perform and
xcopy or robocopy....
The files get decrypted and stay that way in the new machine until
re-encrypted.
I have the cert export and import done no prob.
ah well
Thanks all
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Copy of every file on desktop AP Spyware 3 31-03-2005 03:37 PM
Window Washer 4.5 evaluation copy wanted ChatteNoire Spyware 0 02-03-2005 07:37 PM
Hi-jacks copy & Paste William Carr Spyware 1 18-10-2004 11:59 AM
I Need a Copy of CWshredder.exe or .zip scm Spyware 9 16-04-2004 07:47 AM
Please Email a Copy of CWshredder exe or zip scm Spyware 3 15-04-2004 10:43 PM


All times are GMT. The time now is 08:10 AM.