EFS Recovery

[WorldWarGeneral]

After browsing around, it would appear that before I start using the Encrypting File System, it should export my user key for recovery of that data if I have to reinstall windows. I think I have it figured out, but I'm not sure. Here's what I did:

I opened up the "console" by typing 'mmc' into the "run" prompt.

I added the "certificates" snap-in.

I then copied my user certificate from the "personal certificates" store into the "Trusted Root Certification Authorities" store. (in order to make the private key exportable).

I exported the copied certificate (including the private key) into a .PFX file.

To restore the certificate after a reinstallation of windows, am I to open the .PFX file (which launches the certificate import wizard), select "Automatically select certificate store based on the type of certificate)? Will this give me access to my encrypted files if I have to reinstall?

If I've gone about this all wrong, please let me know and tell me how I can do it correctly.

 

[Lonman]

I think you may be our resident efs expert. I'd suggest backing up your encryted stuff, unencrypted, and test your theory by deleting the .pfx file(s), attempting to access the encrypted store, and then restoring the .pfx file(s) to verify that it works ok. Let us know how it works out.

 

[WorldWarGeneral]

I created another user account and attempted to access some encrypted files. (couldn't) I then imported my certificate into the account. (opened the PFX file from within the dummy account) I then had access to the encrypted files from both accounts.

This leads me to believe I've got it right. When I read the MS Knowledge Base articles, they usually involve creating "Data Recovery Agents" and the like. Whenever I attempt to create one with my exported certificate, it tells me there is "nothing in the certificate for this operation." Reading further, it mentions that the built-in Administrator account is the default recovery agent on machines that aren't on a domain. There aren't any recovery agents listed in the Local Security Policy window, only a message that says "no policy defined."

I guess I'll find out next time I reinstall, which is often because I like to play with my hard drive partitions, but am too cheap to get Partition Magic. Too bad disk drake (comes with mandrake Linux) will only non-destructively resize fat32 partitions and not NTFS. I'll just be sure to decrypt anything extremely important before I restore it.

Another question though, since according to the help files, encrypted files are automatically decrypted when moved to a non-NTFS volume, when I backup the encrypted files to a CD, and then restore them after the reinstall, are the files re-encrypted again? Or do they stay decrypted, making this entire thing moot?

 

[Lonman]

Originally posted by WorldWarGeneral
I created another user account and attempted to access some encrypted files. (couldn't) I then imported my certificate into the account. (opened the PFX file from within the dummy account) I then had access to the encrypted files from both accounts. Cool, sounds like you're on the right track.

Another question though, since according to the help files, encrypted files are automatically decrypted when moved to a non-NTFS volume, when I backup the encrypted files to a CD, and then restore them after the reinstall, are the files re-encrypted again? Or do they stay decrypted, making this entire thing moot? Do another test by burning a sampling and trying to access the files from an account that doesn't have 'permission.' If you can access them then it's a safe bet they won't be automatically 're-encrypted.' Test the theory using the backup utility too (make a small backup file and try to restore/access it from the cd you burn).

I think you're on to a very important topic here. As long as you're using file encryption, be sure you back up your 'key' and put it in a safe spot. You may be in a position at some point that you need to do a repair installation that could wipe out the key(s). If you get hit by a virus or something that hammers your certificate files - no backup = no files!

 

[WorldWarGeneral]

I copied some encrypted files to a CD, both manually and through the built-in backup utility. Both times the data was completley accessible from all user accounts (administrative and limited) I copied the encrypted files to each desktop, and I accessed them without a problem.

I will keep a backup of my key though. I hate to waste a CD-R for a 4 Kb file, but it would probably be safer there than on a floppy.

 

[Lonman]

Right on. Like I said, you're now our resident expert on this subject.

 

[Qumahlin]

you really don't wanna copy your user certificate unless you will only be doing recovery on your user...for other users you are going to need the recovery agent certificate. it has access to recover files regardless of user. just in case you run into that problem

 

[WorldWarGeneral]

How to I backup the recovery agent certificate? I can't figure that part out. Is there anyway to designate myself as the recovery agent? Or since the built-in Administrator account is supposed to be the recovery agent, do I just export its "personal" certificate, and that will allow access to encrypted files?

I'll try that out.