TrueCrypt and Windows EFS problem - Access Denied

Discussion in 'encryption problems' started by photolurp2, Sep 27, 2014.

  1. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    I am a brand new TrueCrypt user, and although I am old enough to know better, I went with the idea that if some is better than none, then more is better than some. I created an encrypted file-container, located on a Dynamic Disk (created by Windows). It is on an XP x64 machine. Being new to TrueCrypt, I moved files that were previously encrypted by Windows EFS, and located them on the TrueCrypt volume. I also right-clicked on most of the other files, and selected Properties>Advanced>Encrypt contents to secure data.

    Everything was fine until I rebooted. I could access all of the files in the container previously, but after I rebooted, I could only access the non-Windows Encrypted files. Basically if the filename is black, they would come right up, and if the filename is green (native Windows EFS), I would get access denied. I originally removed permissions beyond Administrator and SYSTEM. Thinking that may be the problem, I added back User, Group, or Built-in security principals, and all to no avail. I even took ownership. I can add or remove permissions, but if I try and un-check Encrypt contents to secure data, I get an access denied. I also tried moving these files to a FAT Jump Drive, thinking it would lose the encryption, but no such luck. Access denied again. General and Security are the only tabs that are displayed. As I said earlier, the non-EFS files do not have these problems.

    I know it was stupid, but I did not know any better. I am still learning. I am of the opinion that when I rebooted, Windows lost the file-container drive, as it was then un-mounted, and along with it, the encryption/security key. It seems to me kind of like when one re-installs an OS, and copy documents back to the HD, they are un-readable, as they cannot be de-crypted under Windows. I don't know if this is a Windows or TrueCrypt problem, or how to fix it.

    Bottom line is, what do I do to access these files? I get access denied on all files encrypted by Windows EFS, located on a TrueCrypt volume. Any help would be greatly appreciated.
     
    Last edited: Sep 27, 2014
  2. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    To simplify what I did, I first encrypted the files with Windows. I then began using TrueCrypt 7.1a, made a container, and moved the files encrypted by Windows onto the newly created TrueCrypt partition. I tried accessing the files, and there was no problem then. After I re-booted, that is when it happened. I re-mounted the TrueCrypt volume, and all of the files were still there. The problem is that I cannot access the ones that were encrypted by both TC and Windows. The ones that are only encrypted with TC opened fine. I think this is a combination Windows and TC problem, but I have no idea how to fix it. Any ideas?

    By the way, I read most of the posts in the first 10 pages of this site, listed under "encryption problems". I searched specifically for TrueCrypt problems. That was a lot of reading, but obviously no one has been as stupid as me. I cannot find any related posts here or anywhere else for that matter.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Wild guess: copy one of the Windows-encrypted files back to a non-TrueCrypt folder, and see if you can open it there.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    "I originally removed permissions beyond Administrator and SYSTEM"

    The EFS certificate is held in the user certificate store. They would not be available to Admin (assuming you're running standard user here?) Do you have recovery keys from when you set EFS up? Could you make those available to Admin? Can you access the user EFS certificate, export it, and import it into the Admin certificate store? Obviously, do you have backups of the original files?

    My sense is that this is nothing to do with Truecrypt, and a lot to do with messing with permissions once you'd encrypted. There is a specific mechanism you'd have to follow to share EFS encrypted files with other user accounts.
     
  5. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    Unfortunately, I get access denied. The only folder you can copy to is one created at the same level (I.E. in the same folder in which the file resides. I cannot move the files anywhere else.
     
  6. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    Most of my accounts are Administrators or the Administrator account. I am running Win XP Pro x64 SP2 (the kernel is essentially the same as WSVR2K3) Unfortunately, I did not set up recovery keys, and did not set up EFS. All I did was just right click a file or folder, and go to advanced properties, and selected encrypt contents to secure data. I do not usually do things so blindly on computers, but unfortunately, I did not do my homework first. I am at MMC Certificates for Current User, but I do not have any idea if this is the correct place, or which certificate I am after. Unfortunately, due to the sensitive nature of some of these files, I did not back them up as I should have.
    I think that you are correct that it has nothing to do with TrueCrypt, beyond the fact that when Windows reboots, the volume that TC created is un-mounted. After Windows restarts, I have to manually mount the TC container. I believe that Windows is treating this as a new computer, or a foreign drive, as far as EFS goes. I have restored the permissions beyond what are needed, and I did create and encrypt the files as the same user. I am going to do an experiment here. I will ecrypt a regular file with Windows, leave the permissions the same, move it to the TC container, and reboot. That will at least answer a basic question. I will post back soon.
     
  7. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    OK, I re-created the problem to an extent. I created two different test files. One was encrypted with Windows EFS, the other not. I did not add any special permissions, nor did I take any away. I moved both test files to the TC container, and then rebooted. Now I am even more confused. I am able to access both files now.

    The strange thing is that the other files had what I thought should be the minimum permissions set: the current user (me) and System. I previously added the other permissions back, and it accepts the permissions, but I still get access denied when I try and open them. I am the owner, as I always have been. I also have tried clearing the selection for encrypt contents to secure data, but I get an access denied. If I am an Admin, the creator, and the owner, and can change permissions at will, why can't I access the files? I have done this with non-encrypted files for years, all with no problem. I suppose that permissions which are changed on encrypted Windows files have a different set of rules than non-encrypted files. What would you suggest the next thing I may try? Do I need to mess with the Certificates snap in? Remember, I have always been the creator/owner, and should theoretically have always had access to these files.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I've forgotten much of what I used to know about Windows :(

    But maybe you need to do the "take ownership" dance with them.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The EFS certificate is stored on a per user basis in the user's certificate store (I can't remember the access procedure to that store in XP, but I don't think that's terribly important - it's normally via MMC and a snap-in, and you should be able to see all the certificates you have, including the EFS enabled one that's created automatically when you do your first EFS encryption on the account). This is NOT available to any other user, whether they're admin or not.

    If you run as a different user at any time, or you modify the file permissions such that the user that has the certificate loses access to it, and the file is modified for any reason, then your file is effectively damaged. There is a logical problem in that whatever user is modifying the file MUST also be able to access the EFS certificate (which is ONLY available to the original EFS-certificate-owning user). As I say, there are specific procedures for sharing EFS files between users which involve some certificate swapping.

    I do not know whether you still have files you needed to recover but did not have backups for? Or is this now for interest?

    Any encryption system, whether it's Truecrypt or EFS benefits from managing the recovery properly, whether this is Truecrypt headers, efs recovery etc.

    Some while back, I did see an EFS recovery tool from elcomsoft.co.uk, which seems to have a trial incarnation ($150 otherwise). No idea whether this would work or not, I suspect not.
     
  10. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    I am the owner, but just to be sure, I previously changed ownership, and then returned ownership to myself. It did not help.
     
  11. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    Here is how it appears in the MMC snapin under Certificates Current User - Personal - Certificates:
    Issued To Issued By Expiration Date Intended Purposes Friendly Name Status Certificate Template
    W******** W******** 8/9/2114 Encrypting File System <None>
    W******** W******** 3/28/2108 Encrypting File System <None>
    W******** W******** 9/3/2114 Encrypting File System <None>
    W******** W******** 3/18/2111 Encrypting File System <None>
    Anything here I can do?
    I believe that I did damage my inherent permissions by removing them, quite possibly. If I changed it to Administrator (not me), then no, I guess it would not work. Perhaps if it was Administrators, I would have thought I was included (being a member of Admins), but if I am understanding you correctly, my permissions did not propagate back to me after I removed my explicit permissions.

    Yes, I have been doing file recovery for over a week, and am still very hard at it. Due to the sensitive nature of some of these files, unfortunately, I did not back them up. I need to do this in the future once I have a better handle on TC. I would very much like to gain access to these files once again. I have a bad habit of sometimes renaming files from their original name to one that makes more sense, so looking for them without the correct filename is even more difficult.

    Yes, I will set up a recovery system for future potential problems.

    Some while back, I did see an EFS recovery tool from elcomsoft.co.uk, which seems to have a trial incarnation ($150 otherwise). No idea whether this would work or not, I suspect not.[/QUOTE]I may try it eventually if I do not have any better luck, but my guess is that even if it does work, it would not let me restore anything for free.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    With EFS, it only cares about users, not about groups (such as Administrators). Obviously, that's not true for file permissions!

    The nice thing about Truecrypt is that backup is straightforward in one sense - just get yourself a removable hard drive and pop the whole file onto it. Off-siting is also possible that way without exposing it to the cloud.

    The system you use for these sensitive files obviously needs to be well protected - and preferably air-gapped. you do not want keystroke loggers getting at your strong password or exfiltrating your truecrypt file! you might want to consider bootable drives for this purpose, so that you have substantial confidence that the system is clean.

    Rather obviously, I take it you know of the importance of strong passwords on files which can be brute-forced offline.... just saying. I use diceware. Personally, I'd trust Truecrypt plus a really strong password rather than adding EFS complexity to the mix. Subject of course to the results of the audit which will hopefully be published soon.

    PS - I see that you have multiple certificates that can be used for the EFS encryption/decryption - are you sure that the "right" one is active? You can have as many certificates as you like, suitable for EFS, but it will by default only use one!
     
  13. photolurp2

    photolurp2 Registered Member

    Joined:
    Sep 27, 2014
    Posts:
    8
    As far as passwords go, I download hundreds of thousands of charachter combinations and select small, random snippets from about half a dozen algorithms from random.org. My password is even password protected. I can't wait for the audit to come out. See, I did not make those certificates on purpose. I don't know when they got there.
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Given you've downloaded the character combinations on the internet, you must assume that your adversary has those sequences, and given that the random IVs you have got may also have been compromised - depends how paranoid you are and how much you trust your own government and those of charming allies.

    Which is why I'm much more comfortable rolling physical dice in the comfort of a technology-free room when I create my diceware passwords. The blighters have to cope with good old entropy then, there is zero internet or system footprint. Because I'm a good typist, I much prefer (and can easily remember in my head) a restricted number of master passwords - which of course I will reveal if coerced! Remembering random sequences of characters I find hard, but each to their own.....

    As far as the bulk of "regular" needs for passwords is concerned, I just use Lastpass.
     
Loading...