EFS Recovery

Discussion in 'Windows Desktop Systems' started by WorldWarGeneral, Apr 14, 2002.

  1. After browsing around, it would appear that before I start using the Encrypting File System, it should export my user key for recovery of that data if I have to reinstall windows. I think I have it figured out, but I'm not sure. Here's what I did:

    I opened up the "console" by typing 'mmc' into the "run" prompt.

    I added the "certificates" snap-in.

    I then copied my user certificate from the "personal certificates" store into the "Trusted Root Certification Authorities" store. (in order to make the private key exportable).

    I exported the copied certificate (including the private key) into a .PFX file.

    To restore the certificate after a reinstallation of windows, am I to open the .PFX file (which launches the certificate import wizard), select "Automatically select certificate store based on the type of certificate)? Will this give me access to my encrypted files if I have to reinstall?

    If I've gone about this all wrong, please let me know and tell me how I can do it correctly.
     
  2. Lonman

    Lonman Bleh!

    Messages:
    2,642
    I think you may be our resident efs expert. I'd suggest backing up your encryted stuff, unencrypted, and test your theory by deleting the .pfx file(s), attempting to access the encrypted store, and then restoring the .pfx file(s) to verify that it works ok. Let us know how it works out.
     
  3. I created another user account and attempted to access some encrypted files. (couldn't) I then imported my certificate into the account. (opened the PFX file from within the dummy account) I then had access to the encrypted files from both accounts.

    This leads me to believe I've got it right. When I read the MS Knowledge Base articles, they usually involve creating "Data Recovery Agents" and the like. Whenever I attempt to create one with my exported certificate, it tells me there is "nothing in the certificate for this operation." Reading further, it mentions that the built-in Administrator account is the default recovery agent on machines that aren't on a domain. There aren't any recovery agents listed in the Local Security Policy window, only a message that says "no policy defined."

    I guess I'll find out next time I reinstall, which is often because I like to play with my hard drive partitions, but am too cheap to get Partition Magic. Too bad disk drake (comes with mandrake Linux) will only non-destructively resize fat32 partitions and not NTFS. I'll just be sure to decrypt anything extremely important before I restore it.

    Another question though, since according to the help files, encrypted files are automatically decrypted when moved to a non-NTFS volume, when I backup the encrypted files to a CD, and then restore them after the reinstall, are the files re-encrypted again? Or do they stay decrypted, making this entire thing moot?
     
  4. Lonman

    Lonman Bleh!

    Messages:
    2,642
     
  5. I copied some encrypted files to a CD, both manually and through the built-in backup utility. Both times the data was completley accessible from all user accounts (administrative and limited) I copied the encrypted files to each desktop, and I accessed them without a problem.

    I will keep a backup of my key though. I hate to waste a CD-R for a 4 Kb file, but it would probably be safer there than on a floppy.
     
  6. Lonman

    Lonman Bleh!

    Messages:
    2,642
    Right on. Like I said, you're now our resident expert on this subject. ;) :D
     
  7. Qumahlin

    Qumahlin Moderator

    Messages:
    2,006
    you really don't wanna copy your user certificate unless you will only be doing recovery on your user...for other users you are going to need the recovery agent certificate. it has access to recover files regardless of user. just in case you run into that problem :)
     
  8. How to I backup the recovery agent certificate? I can't figure that part out. Is there anyway to designate myself as the recovery agent? Or since the built-in Administrator account is supposed to be the recovery agent, do I just export its "personal" certificate, and that will allow access to encrypted files?

    I'll try that out.