7

I have some files that were encrypted on a now extinct Windows 7 system. I made sure to backup my keys, this one is called efs.pfx. Double-clicking it launches the Certificate Import Wizard which places it in the Current User > Personal store. But now when I try to select it for decryption using the EFS Rekey Wizard (rekeywiz.exe) I get this error on the final step: The EFS Rekey Wizard encountered an error and cannot continue: The requested operation is not supported.

I saw this notification while it was in that store: This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store.

So I moved it to the mentioned store, where things looked better: Allows data on disk to be encrypted

However I still get the same error in rekeywiz regardless of which certificate store it's in.

I can see the encrypted files in Windows Explorer, but double-clicking them opens them as empty files or throws errors:
user does not have access privileges

I practiced deleting the certificate to make sure I could not read the files' contents, and importing the certificate to make sure my read access was restored. This worked well, and can't imagine that this is the wrong key (the backup is literally named efs.pfx). I don't remember having to use the Reykey Wizard when I practiced this on Windows 7. Also, I never tested this after upgrading to Windows 8 or 8.1. I think this might not be an "upgrade" but a clean install, as I remember a problem trying to transition my 8.1 Preview system (which was probably the last in a series of in-place upgrades dating back to Vista) into the final build. I don't see why this would matter, but I hope it helps cover any questions.

How can I decrypt my files?

Update

As suggested in the comments, I tried moving files to a different location. At first I was denied access saying I needed permission from the entity in the following picture: File Access Denied

I looked at the Advanced Security Settings Properties tab and saw that the owner was the same entity, so I took ownership of the file and allowed myself full control.

Strangely, I get the same error when now trying to moving the file, only I require permission from myself
File Access Denied

Update #2

When I look at an encrypted file's properties in General > Advanced > Details > User Access, I can see which certificate is allowed to view the contents and its thumbprint: User Access to...

I've verified that this is the same certificate I backed up and installed into my certificate store: Certificate Thumprint

Louis Waweru
  • 23,945
  • 39
  • 132
  • 198
  • the last error seems like a NTFS permission error, did you try to copy the file to somewhere else or set proper permission, then do the decryption? does it work? – lex Jul 18 '15 at 08:27
  • Hi @Chris.C, thanks. I've updated the question to show what happens when trying your suggestion. – Louis Waweru Jul 22 '15 at 19:23
  • try http://superuser.com/questions/444055/cascade-ownership-and-security-permissions-windows-7 to set proper permission for the files. – lex Jul 23 '15 at 05:25

1 Answers1

5

It turns out that all I had to do was uncheck Enable strong private key protection in the Import options:

Certificate Import Wizard

After that I could read the files just fine.

The actual problem seemed to be that checking that option doesn't work for my situation.

Louis Waweru
  • 23,945
  • 39
  • 132
  • 198
  • 1
    OMG. You are a lifesaver. I've been troubleshooting this problem for days, just knowing I had the right certificates and everything backed up correctly. Thank you soooo much for taking the time to update this post. You saved me!!!!! – StatsStudent Mar 07 '17 at 02:37
  • 2
    @StatsStudent Glad it helped! I know it's no fun running into this sort of problem. – Louis Waweru Mar 07 '17 at 04:00
  • 2
    How in the world did you figure this out? I searched everywhere on the internet for a solution and all the Microsoft solutions were just terrible. I tried for days and couldn't find this. I'm surprised there's not more documentation on this (or maybe there is and I just couldn't find it?). Anyway, I'd love to know how you finally figured this out. And lastly, do you have any idea why having that checked caused this problem? If I could tip you or buy you a virtual beer I would! Cheers! – StatsStudent Mar 08 '17 at 02:36
  • @StatsStudent Altered state for sure. – Louis Waweru Jul 07 '21 at 02:18