Hello everyone,

i have a external hard disk that was secured via windows efs. The computer that has the initialized the encryption is not available any more but i have a full drive clone (clonezilla) from the hard drive.

So i am trying to rebuild the certificate and private key to decrypt the external drive.

The user that encrypted the external drive is a active directory user, the certificate was not published by our internal ca tough. So maybe the user encrypted the files before we set up internal ca.

I am following this guide https://github.com/gentilkiwi/mimikatz/wiki/howto-%7E-decrypt-EFS-files but got stock at decrypting the masterkey.

I am aware of the users passwords so that should be easy, but instead of the masterkey i receive this error:

Auto SID from path seems to be: S-1-5-21-3184696595-1076132136-4192682506-1212

[masterkey] with password: XXXXX (normal user)
ERROR kuhl_m_dpapi_masterkey ; kull_m_dpapi_unprotect_masterkey_with_password

[backupkey] without DPAPI_SYSTEM:
  key : ff13e678bd5d8ff8b2e52b29eb77859e469421d0b6417ff938c6e495172ce91e
  sha1: 4f8e5dbee5710e031771118fd01544a80b216e31

Does that mean it won't work with password and do I have to go for the NTLM domain account option?

I made it, just added /protected to the password and then it worked