Recovering Lost SSH Private Keys: EFS-Encrypted Putty Key Restoration Techniques


2 views

When dealing with EFS-encrypted SSH private keys on a corrupted Windows XP system, the recovery process becomes particularly complex. The fundamental issue stems from how Windows Encrypting File System (EFS) ties encryption to specific user profiles. Once the OS is reinstalled, even with the same username, the new profile won't have the same encryption certificates.

Attempting to reverse-engineer a private key from a public key is mathematically impossible due to the one-way nature of RSA cryptography. However, these practical approaches might help:


# Example of extracting public key from authorized_keys
ssh-keygen -f id_rsa.pub -e -m PKCS8 > public.pem

If you have system backups or registry snapshots, focus on these recovery methods:

  1. Previous EFS Certificates: Search for *.pfx files in backup locations
  2. Registry Hives: Specifically HKEY_USERS\[SID]\Software\Microsoft\Windows NT\CurrentVersion\EFS
  3. Shadow Copies: Use vssadmin to list shadows if System Restore was active

When recovery fails, consider these alternatives:


# Generate new key pair while preserving the public key comment
ssh-keygen -t rsa -b 4096 -C "original_comment@example.com" -f new_key

For existing connections, you can temporarily modify the sshd_config:


PubkeyAuthentication yes
PasswordAuthentication yes # Temporary measure

Always export EFS certificates when dealing with critical SSH keys:


cipher /x:efscert /h /s "C:\path\to\private_key.ppk"

Consider using KeePass with SSH agent plugin for secure key management across system reinstalls.

When dealing with RSA key pairs, it's mathematically impossible to directly reverse-engineer a private key from its public counterpart. The security of RSA relies on the computational difficulty of factoring large prime numbers. However, we have several practical approaches when facing this scenario:

// Typical RSA public key structure (from your base64)
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz6eJj0JZ...
-----END PUBLIC KEY-----

PuTTY stores recent session data in the Windows registry. Try searching these locations:

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SSHHostKeys

Use this PowerShell command to export registry keys:

reg export "HKCU\Software\SimonTatham\PuTTY" putty_backup.reg

While we can't mathematically reverse the private key, we can create a new key pair with identical parameters:

openssl rsa -pubin -in public.pem -text -noout
# Output shows modulus (n) and exponent (e)
# Then generate new key with same parameters:
openssl genrsa -out new_private.pem [original_bit_length]

Before reinstalling, the private key (id_rsa.ppk) might still exist in:

  • Pagefile.sys
  • System restore points
  • Unallocated disk space

Use photorec or testdisk for recovery:

photorec /dev/sda /mnt/recovery/

When all else fails, here's the complete regeneration process:

  1. Generate new key: puttygen -t rsa -b 4096 -o new_key.ppk
  2. Extract public key: puttygen -L new_key.ppk > new_key.pub
  3. Batch update servers using ssh-copy-id:
#!/bin/bash
for server in $(cat server_list.txt); do
  ssh-copy-id -i new_key.pub admin@$server
done

Implement these practices to avoid future headaches:

  • Use ssh-keygen -o for OpenSSH-compatible backups
  • Store encrypted backups in multiple locations
  • Consider using hardware security modules (HSMs)