1

The EFS encryption uses user certificate, generated with his username and password, to encrypt the files so that only that user can access it. My question is this:

Can you export user certificates remotely(using PowerShell) authenticating with NTLM hash of that user?

If so, does that user have to be logged on?

It is a domain environment, and said user would be a standard domain user.

Guesttt
  • 31
  • 1
  • 2

1 Answers1

1

The cert's private keys are protection by DPAPI which uses the user's password as part of the KDF. That means that NTLM will not work, as the actual password never ends up on the remote host. https://msdn.microsoft.com/en-us/library/ms995355.aspx?f=255&MSPPError=-2147217396

You can export the certificate, but not the private key.

markgamache
  • 153
  • 5