Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The User State Migration Tool supports encrypting a compressed store file. This article seeks to explain some of the more common questions around the architecture of this encryption.
What is USMT 4.0's store compression algorithm?
USMT uses MS-proprietary algorithms to compress the USMT.MIG store file. The file cannot be opened using commercial compression tools, as the algorithm does not follow a public method. A list of files in the store can be generated during scanstate with the parameter /listfiles:fileName.
How does USMT 4.0 encrypt the store file?
Files are read buffer by buffer, encrypted in memory and written to the destination, again using an MS-proprietary algorithm. No portion of a file is written anywhere in an unencrypted form (not even in a temporary file). The source computer files are, of course, still unencrypted so the encryption methodology is largely irrelevant: encryption exists only for transportation and storage between the phases of scanstate and loadstate. This encryption behavior has nothing to do with EFS-encrypted files either, those files are copied in a raw form and are always encrypted end-to-end.
How can you tell what encryption algorithm is supported by the computers that will be using USMT?
Use USMTUTILS.EXE /EC to see what cipher suites are available on a source or destination computer. All OSes that support USMT 4 (XP, Vista, 7) inherently support all of the encryption suites supported by /encrypt and /decrypt (AES, AES 128-bit, AES 192-bit, AES 256-bit, 3DES, and 3DES 112-bit), However, certain versions of Windows might have one or more of those cipher suites removed due to export restrictions.
What USMT encryption types does Windows XP Support?
Windows XP - which internally does support AES - only supports 3DES and 3DES_112 store encryption due to a limitation in USMT itself.
When running USMTUTILS.EXE /EC on a Windows XP computer, the following error is expected:
Failed to acquire AES Encryption provider context (MS_ENH_RSA_AES_PROV). The following error occurred: The keyset is not defined.. Using default (MS_ENHANCED_PROV)
**
**When running SCANSTATE.EXE C:\store /auto /encrypt:AES /key:foobar on a Windows XP computer, the following error is expected:
Failed.
** A Windows Win32 API error occurred.
Windows error 2148073480 description: invalid algorithm specified.
See the log file for more information.
Scanstate return code: 71
**