How can I recover files encrypted with Windows filesystem encryption?

Home » Windows » Windows Components

Summary: The Windows encrypting filesystem ensures that only you can access your files. However if you lose your login account you could have a serious problem.

It all started some months ago when I changed the properties of most of my personal files to encrypted just because I thought they would be safe from hackers. Of course as I don't share my computer with anyone I could open and edit them all I wanted without any trouble. I never really thought that property was special in a functionable way.

Last week I took my computer to have a new hard disk added, in the new hard disk Windows XP was installed and my old data was kept in my other hard disk, remaining as a 'slave' (I think that's the term). Unfortunately my main and only user session was deleted. Now I'm stuck with an administrator user that can't change the properties of my files back to normal. I can't listen to my music nor edit my documents, I can't even view my pictures. I'm so sad, I don't know how to fix this. I fear that there's nothing I can do because, obviously, creating a new user with the same old name won't work as the files are now on my old hard disk and I can't move them to other location.

If there's any solution regarding this case, I'll be forever grateful. If the solution involves programming skills I'm counting on my boyfriend who knows about that stuff.

My gut reaction?

You are so screwed.

Sorry to be so blunt, but what you're experiencing is one of the major drawbacks of Windows' built-in encryption.

I'll throw out one straw to grasp at, but then I'll explain why this happened in the first place.

•

Here's my one straw to grasp at: if this were my machine I would restore it to its original configuration. By that I mean remove the new drive and set the old drive to once again be the only drive and boot off of that. If the drive hasn't been altered, then you may be able to then login with your old account and access your encrypted files.

If it turns out you can access them then back them up. Now. More on that in a second.

"The greater chance is that you're SOL: Severely Out of Luck."

If not, things get much more complicated, and I'm not at all hopeful that you'll be able to recover. Have your boyfriend or a technician check out the Microsoft information on the encrypting file system, paying particular attention to the section on recovery. It's highly unlikely, but if the correct encryption keys can somehow be recovered there's a slim chance. A very slim chance.

The greater chance is that you're SOL: Severely Out of Luck.

•

So why is that? What happened?

The key, both literally and figuratively, is that when files are encrypted in Windows using the encrypting file system they use cryptographic keys that are associated with the login account that created them. So if I'm logged into my machine with a user account "Leo" and mark some files as encrypted, then those files can only be decrypted when I'm logged into that "Leo" account.

The gut reaction when the login account disappears or is somehow inaccessible is to create a new account with the same name. In other words if my "Leo" login account disappeared, I'd just create a new account with the same name.

Doesn't work.

You can create the account with the same name, but it will not be able to access the files encrypted under the previous account named "Leo". Even though they have the same name, they are still two different accounts. The cryptographic information associated with each is different.

If the cryptographic information for the account that created an encrypted file has been lost then there's simply no way to recover the data.

You're SOL.

•

I know that you used encryption on a lark, and that's fine. Presumably this has been an "interesting" lesson learned.

For those that really are looking to encrypt data, the problems that I've described here are reasons that I never recommend using the encrypting file system. It's simply too easy to inadvertently lose your data. In my opinion it also doesn't really provide all the security you may think. Anyone can walk up to your machine while you're logged in and access your data, encrypted or not. That may be enough and you may handle your physical security in such a way that that's not a risk, but it's easily overlooked.

My recommendation is a tool like TrueCrypt. You can set up virtual drives containing encrypted data that you use just like any other drive or filesystem. The encryption is tied only to a password or passphrase - as long as you have that you can recover your data, no matter what machine it's on or where it's located. TrueCrypt also supports auto-dismount under various circumstances that can protect against the walk-up access I mentioned above.

If you do end up using the encrypting file system, make sure to understand and follow the recommendations for backing up the cryptographic keys. With those keys it should be possible to recover encrypted data.

Lastly, and speaking of backup, all of this could have been a non-issue if you had been backing up your data regularly. Imagine if your hard drive had simply and irreparably died. Encrypted or not all, your data would be lost.

Unless, of course, you had a backup copy of it all.

Related:

Ask Leo! - How can I keep data on my laptop secure?
Ask Leo! - How do I keep my information on a shared computer private?
Ask Leo! - What backup program should I use?

More articles about: Windows Components

Article Useful? Link to it from your own website; just copy/paste this HTML:
<a href="http://ask-leo.com/how_can_i_recover_files_encrypted_with_windows_filesystem_encryption.html">Ask Leo: How can I recover files encrypted with Windows filesystem encryption?</a>

Article 11939 | Posted October 24, 2007

•

Recent Comments

I ran into a situation similar to this as well. My solution was to use a linux boot disk to copy the files from the encrypted drive. The only downfall was linux can read from an NTFS drive but not write to one. Not a big problem for me because my files were not that large and I was able to use a flash drive with FAT. May be a problem with this situation since the majority of the files are music and pictures!

Posted by: cpsulli at October 25, 2007 01:24 PM

Actually, newer Linux distributions can write to NTFS. (I did so just last week.)

However, I don't see how Linux could read the encrypted filesystem. (Or is the filesystem not encrypted, and only the files themselves are? In which case, all you can do is read the raw, encrypted data from the files.) Linux can't decrypt the data without the key any more than Windows can.

Posted by: Ken B at October 26, 2007 06:55 AM

"Have your boyfriend or a technician check out the Microsoft information "

My goodness Leo, I am normally not sensitive about such things, but this certainly seems to be a sexist comment. Why does one have to be male to understand Microsoft information? Is it written in a secret(male)language?

On the whole, I enjoy your site and find it informative and interesting.

Posted by: Judith Currier at October 27, 2007 04:16 AM

Judith,

He suggested she ask her boyfriend because in her letter she wrote if this involved
"programming skills" she would ask her boyfriend because he "knows about that stuff". Whether she's speaking of programming languages or normal computer tech skills who knows.

Posted by: Josh B at October 27, 2007 10:26 AM

Actually I have encounted the same problems before. I use the knowledge from NT Server 4 to perform on the Windows XP Pro with the old system drive as the slave. You only have to reassign the encrypted files rights back to the system. Once the files are own by the system, create a new user and reassign all the files right to that new user. Login as that new user and you are already accessing your files!

Posted by: ena at October 27, 2007 03:36 PM

There is a method that you did not even suggest and it is so simple that you would freak. True security on any computer is very difficult too acheive (not imposible) You can talk to the security experts to find out how simple it is.
I do this on a regular basis and I do not want to give it away.

Posted by: Oliver Galea at October 29, 2007 05:09 AM

Post a comment on "How can I recover files encrypted with Windows filesystem encryption?":

Name: (Required)

Email Address: (Required)

(Email Address will not be published.)

Remember Me? YesNo

By popular demand...
my tip jar

Buy Leo a Latte!

Comments:

New!

Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...