3

I am in the process of retiring an old Windows-integrated CA and bringing online a new, properly-configured one (several, actually). Most of our systems are unable to use EFS thanks to Group Policy... but due to some misconfiguration, a handful of domain users were able to autoenroll for EFS certificates. So far, none of the users are aware of any files they have encrypted, and searching through their files with cipher /u /n isn't finding anything... but I can't be sure that there are no encrypted files we have missed.

I must retire this CA soon, so I'll have to revoke the EFS certificates and ensure that EFS is totally disabled for those users. I really can't migrate the old CA to a new one either, for several reasons. So what are my options for shutting off EFS for those who may have been using it without losing their data?

ewall
  • 1,054
  • 3
  • 13
  • 23

2 Answers2

2

At first I thought that you would want to create a Domain Recovery Agent. Then I was reminded that, (and I cannot confirm this), I believe that a DRA is only good for recovering encrypted files that were encrypted after the agent was created. Also, revoking the certificate might complicate matters some. Nonetheless, consider what you can do with the Domain Recovery Agent.

It does, however, appear that you have done everything that is reasonable to discern if any files have been encrypted. Get the list of all users that have had certificates issued to them, make sure they understand what is about to happen, get them to sign documents that acknowledge the situation and have it witnessed by a manager. Then, pull the pin and let the old CA float out to sea.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • You can bet I'll have an EFS recovery agent at the ready. Also, I just learned how I can continue to [publish the CRL of the decommissioned CA post-posthumously (as it were) through CRL re-signing](http://technet.microsoft.com/en-us/library/cc782041(v=ws.10).aspx), which might make users feel better about decommissioning the CA. – ewall Aug 15 '11 at 19:29
  • Aha!CRL re-signing sounds purdy dern cool. I was wondering if you could carry on the spirit of the dead CA in some way. – Wesley Aug 15 '11 at 19:32
1

Further research revealed that the EFS certificates will continue to read any encrypted files as long as the user has the cert... even if the certificates are revoked and the CA is decommissioned.

What the users cannot do after the certs are revoked is (re-)encrypt any files... which we don't want them to do anyway.

So thus I didn't have to use CRL signing or any other tactics to keep the old CA on life-support; it is now fully decommissioned and the users (and any files they might have encrypted before) are intact.

(P.S. I may eventually have an issue if those user accounts need to be migrated to another domain in the forest, as the old EFS certs might not be migrated...)

ewall
  • 1,054
  • 3
  • 13
  • 23