COMMAND

    EFS

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Alan Ramsbottom  found following.   In the  UK it's  likely to get
    legislation that amongst other things, can require a defendant  to
    prove they don't possess a decryption key for encrypted material:

        http://www.fipr.org/rip/index.html

    Proving negatives is a little tricky at the best of times, so Alan
    was idly wondering whether W2K might be persuaded to create pretty
    audit events  for things  like cert  store key  import, export and
    deletion.  Doesn't look hopeful, but he didn't get too far because
    of a mildly distracting problem with key deletion and EFS:

    1) Alan created a new account, logged on, encrypted X.TXT via  EFS
       then attempted  to delete  the automagically  generated EFS key
       pair.   This action  led to  the sensible  warning "You  cannot
       decrypt data encrypted using the certificates.  Do you want  to
       delete the certificate?".  That was precisely what he wanted..

    2) Cert manager and the cert snap-in both agreed that the relevant
       keys  were  gone  from  the  personal  store,  but it was still
       possible to decrypt X.TXT and encrypt new files.

    3) He  logged off,  spent a  few hours  under a  different account
       before returning  to the  original and  finding it  was *still*
       possible to decrypt X.TXT and encrypt new files.

    4) Restarting the machine made the key deletion take effect.

    Well, the situation  with deleting EFS  certificate is actually  a
    bit different (worse?) than what Alan expects according to  Vladja
    Lieberzeit.   When  you  delete  the  EFS  certificate  using  the
    Internet Options control  panel or the  MMC, you just  only delete
    the certificate, nothing more.  The key pair remains in the  CSP's
    key store, available for later usage.  It still can be used,  e.g.
    programmatically.   Therefore,  the  access  to  encrypted data is
    still technically  possible, though  this is  not available  for a
    user without special tools.

    Also,  when  you  export  a  cert  from the personal store you can
    choose to include the private key.  If you do that then you get  a
    new (to  you) option,  "Delete the  private key  if the  export is
    successful".   Unsurprisingly this  appears to  leave the relevant
    cert  installed,  although  it  does  vanish from the cert manager
    view of the personal  store (in principle, because  the associated
    private key is  gone).  In  pfx import/export experiments  it also
    left a likely redundant file under the directory:

        \Documents and Settings\[User ID]\..  ...\My\Keys

SOLUTION

    Between  restarts,  the  EFS  service  (or  something) seems to be
    caching  all  the  EFS  keys  used  on the machine without further
    reference to  the originals.  Caching multiple  accounts' keys  is
    arguably  a  bad  thing,  but  maintaining  a copy of a supposedly
    deleted key pair is indisputably broken.