JSI Tip 2641. How do I back up my Encrypting File System Private Key?
July 25, 2000
When you use EFS, an EFS public key encrypts files and an EFS private key decrypts files.
If you loose the private key, the encryted files can NOT be recovered.
In a Windows 2000 domain, the Domain Administrator can designate EFS recovery agent accounts, who can recover data even if you loose your private key.
If you are not a member of a Windows 2000 domain, the local Administrator account is the designated EFS recovery agent. You MUST backup the local administrator's private key.
To backup the local administrator's private key:
01. Log on using the built-in Administrator account.
02. Start / Run / secpol.msc / OK
03. Press the plus sign (+) next to Public Key Policies and press Encrypted Data Recovery Agents.
04. Right-click the file recovery certificate that is issued to Administrator and press All tasks / export.
05. Press Next and select the Yes, export the private key option. Press Next.
06. If you wish to remove the private key after the export, select the Delete the private key if the export is successful box.
07. Press Next.
08. Type a password to secure the exported key and confirm it. Press Next.
09. When prompted, enter a file name on a disk or removeable media. Press Next.
10. Verify the options selected and press Finish.
11. Press OK when the export was successful dialog is displayed.
NOTE: If you chose to remove the private key, you must rerstart.
NOTE: See tip 2642 to import the private key.
See the Encrypting File System for Windows 2000 white paper at http://www.microsoft.com/windows2000/library/howitworks/security/encrypt.asp.
About the Author
You May Also Like