NTFS EFS : How to copy encryption certificates from one file onto (an)other file(s)?

489 views Asked by At

I would like to copy all encryption certificates associated with one marker-file onto a set of other files.

Sure, there's the QueryUsersOnEncryptedFile function that returns a PENCRYPTION_CERTIFICATE_HASH_LIST, and there's the AddUsersToEncryptedFile function, that takes a PENCRYPTION_CERTIFICATE_LIST.

So, as far as I understand, to copy the certificates over, these hashes need to be converted back into a list of certificates.

To make this transition, I've been messing around with CertFindCertificateInStore. That worked up to some extend, but not for all certificates, I don't even know which certificates store(s) I should query... I did tried a few : CA, ROOT, MY, SPC, Trust, TrustedPeople, AuthRoot (and even AddressBook, which seems to contain an out-dated cache of certificates, as some where already expired) but none of them gave me access to all certificates that I have hashes for.

So, how can I reliably map a certificate hash back to the certificate itself? (Some example code would be nice.)

Thanks in advance!


As a side-note:

I would also like to remove all other certificates from these same target files. For this purpose, there's a function available, called RemoveUsersFromEncryptedFile, which also takes a PENCRYPTION_CERTIFICATE_HASH_LIST.

I imagine this list could be gathered by first calling QueryUsersOnEncryptedFile on each file, and pass the resulting certificate hash list to RemoveUsersFromEncryptedFile (on the same file).

But there's a caveat: I don't want to loose all certificates, or the files won't be accessible to anyone anymore! Can I safely zero-out my own (and by extension any other allowed) certificate hash from this intermediate hash list? (Given that there's also a dedicated FreeEncryptionCertificateHashList function.)

1

There are 1 answers

0
PatrickvL On BEST ANSWER

I found the answer myself : There's an API called DuplicateEncryptionInfoFile which does exactly what I need. I should have searched a bit further...

Thanks for reading though, I hope this question + answer will help someone, someday ;-)