JSI Tip 4474. How do I back up my Encrypting File System (EFS) private key?

NOTE: See tip 4475 for how to restore the EFS private key.

Microsoft Knowledge Base Article 241201 contains the following summary and introduction:

SUMMARY

This article describes how to back up the recovery agent Encrypting File System (EFS) private key on a computer that is running Microsoft Windows Server 2003, Microsoft Windows 2000, or Microsoft Windows XP. Use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost. This article contains information about how to use the Certificate Export Wizard to export the recover agent's private key from a computer that is a member of a workgroup, and from a Windows Server 2003-based or Windows 2000-based domain controller.

INTRODUCTION

This article describes how to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, and in Windows XP. You can use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost.

You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After you decrypt the FEK, you can use the FEK to decrypt the file.

If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent's private key, you can decrypt the FEK, and then decrypt the file.

By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.

Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

255026 The local administrator is not always the default Encrypting File System recovery agent

Important After you export the private key to a floppy disk or other removable media , store the floppy disk or media in a secure location. If someone gains access to your EFS private key, that person can gain access to your encrypted data.



TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish