Google
WWW http://internetfixes1.brinkster.net

Visit our Quick Over View of this Remote Service.


Tip
Subject Content

117
Back up an Encrypting File System recovery key

The Encrypting File System (EFS) in Windows 2000 enables users to securely encrypt files--a

nearly effortless process because Windows 2000 automatically creates the keys needed to encrypt

and decrypt the data. If the user's EFS private key is deleted, however, the encrypted data could be

inaccessible. Fortunately, Windows 2000 also creates a recovery agent key that can decrypt the data.




Windows 2000 encrypts files with the recovery agent's public EFS key, as well as the user's EFS

key. This means that the recovery agent's key can be used to decrypt the files if the user's key is

lost. By default, the local administrator account is designated as the default recovery agent for

computers in a workgroup. The domain administrator is the default recovery agent for computers

in a domain.



You should back up the recovery agent key on any systems that use EFS in order to protect against

inaccessible data if there's a problem with the user keys. Follow these steps to export the key on a

workgroup computer:



Log on to the local computer using the local administrator account and run Secpol.msc.

Expand the Public Key Policies\Encrypted Data Recovery Agents branch.

In the right pane, right-click the certificate, choose All Tasks | Export, and then choose Next when

the wizard starts.

Choose Yes (Export The Private Key), and click Next.

Follow the remainder of the wizard using the default values and specify a file to contain the key.

When the wizard finishes, copy the newly created file to a safe network share, or copy it to a floppy

or compact disk and secure the disk in a safe location.



In the wizard, if you choose the option to remove the private key from the computer after the export

is complete, you must restart the workstation or domain controller for the removal to be

completed.



If you need to back up the recovery agent key for a domain, run Dompol.msc on the first domain

controller in the domain. Use the same procedure as above to export the key to a file.

Page 117 of 237
First Previous Next Last