How to decrypt removable storage files using a certificate which are encrypted by a user with a password and the user forgets the password or the password is lost?
Last Updated November 10, 2011
To be able to decrypt a removable storage file if the user forgets the password or the password is lost.
Follow the steps below in order to create certificate to use it during the RS client package creation.
=>Install and configure CA(Enterprise Root CA) on a 2003 or 2008 server.
=>On the SEE manager, generate and export a user certificate:
1. Launch MMC, add Certificates snap-in for my user account.
2. Expand Certificates - Current User under Console Root in the left pane, right click Personal folder, then go to All tasks -> click Request new certificate...
3. Select User as certificate type, click Next.
4. Give it a friendly name, click Next.
5. Verify the details at the last screen and click Finish.
6. By default, Windows 2003 enterprise root CA is configured to automatically generate a user certificate upon receiving a request. So now, you should see a Certificates folder under Personal folder in the left pane.
8. Click the Certificates folder, in the right pane, you should see the user certificate that's just generated.
9. Right click the user certificate, go to All tasks -> click on Export....
10. Select No, do not export the private key and click Next.
11. Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (..P7B), then next.
12. Give it a name, and click Finish.
Now create the Removable storage client package. In the Removable Storage Installation Settings –Encryption Method, select A password or A password and/or one or more certificates.
In the Removable Storage Installation Settings –Recovery Certificate, choose Encrypt files with a recovery certificate and browse and select the saved P7B certificate.
In the Removable Storage Installation Settings – Portability pane check Copy the Removable Storage Access Utility to all removable storage devices.
How to decrypt a file using a certificate which has been encrypted with a password by the user?
On the SEE manager, open certmgr.msc, under the current user's certificates , locate the certificate used to encrypt the file. Right-click on the certificate > All Tasks > Export.
Click Next on the Welcome screen, then choose 'Yes, export the private key', then click Next. The Private Key is required in order to decrypt the file.
Personal Information Exchange - PKCS # 12 (.PFX) should be highlighted and click Next.
Enter and confirm a password
Browse, select a location and give it a name and click Finish.
Steps to test the decryption of a file using a certificate if a user forgets the password or the password is lost.
Install the removable storage client package created using a recovery certificate. After rebooting the client, plug a usb/thumb drive, copy a file on to the USB from the local drive of the machine. Set a password for the file when prompted.
Note : In case a default password is set, there will no password prompt.
Now on another machine (a non RS client), plug the same usb to access the file which has been encrypted with a password.
Open the removable storage access utility, and you will find a red lock on the file as the file is encrypted.
In order to access the file you would need the .PFX certificate installed on the machine. Copy the .PFX certificate (which you have saved on the server) on to the Non RS client (the machine on which you are trying to decrypt the file).
Install or import the certificate, enter the password, Automatically select the certificate store based on the type of certificate and click on Finish.
Once you have installed the certificate, now open the removable storage access utility again, and this time you would see a yellow lock, which means you can access it.
This would be possible if during the RS client package creation, Encryption Method was selected as 'A password' or 'A password and/or one or more certificates' and Encrypt files with a recovery certificate .
Imported Document ID: TECH163363
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe