Manage Your EFS Keys with Cipher

Encrypting File System (EFS) lets you encrypt important files so that life is tough for the folks trying to steal sensitive data. However, like any encryption system, EFS isn’t all wine and roses: If you lose your encryption keys, not only will the bad guys be unable to read your data, you won’t be able to read it, either. Key management and recovery is therefore extremely important to any EFS user, and EFS’s command-line tool Cipher (cipher.exe) can help.

Back Up Your EFS Key
The first time that you use EFS to encrypt something, your system generates a random 256-bit number; that’s the key that EFS uses whenever you encrypt something. To back up your EFS key, simply use the Cipher /x command. Cipher will reply with a message asking if you truly want to back up your EFS key—sadly, I haven’t found a way to suppress this message. Press OK. The tool will then prompt you for the name of the file in which to store the backup. Don’t specify a file extension; Cipher insists on the .pfx extension. For example, if you picked a file named mybackup, you now have a small file called mybackup.pfx. Next, the tool will prompt you to create a password with which to protect that file.

Once you’ve got that file created, copy it from your computer’s hard disk to some offline location (e.g., a USB stick, a CD-ROM) and make a note of the password you’ve chosen. Now, in the event of unfortunate circumstances— for example, you lose your profile, you forget your password and a systems administrator has to reset it, the system’s OS fails and you need to recover files directly from the nowdead system’s hard disk—you can simply restore your EFS key by double-clicking the .pfx file and running the resulting wizard. As soon as the wizard is finished, you’ll be able to get to your files again.

Make Yourself a Recovery Agent
But what if you’re the administrator of this system, and you have to think of your users? You might not trust your users to back up their EFS keys, and you’d hate to see the look on their faces when they lose their keys and you’re forced to say, “I can’t help you.” To avoid that, make yourself a recovery agent for the standalone (non-domain-joined) system. (A recovery agent can decrypt files even if he or she didn’t create them.) And this is important: Do so before people start encrypting files. In my experience, a recovery agent can decrypt any files created after he or she became a recovery agent—not before. You can make any user—administrator or not—into a recovery agent, but for this example I’ll assume you’re making yourself the recovery agent. The following process works equally well for Windows Vista, Windows Server 2003, and Windows XP.

First, execute the Cipher /r:recoveryguy command, which creates two certificate files: recoveryguy.cer and recoveryguy. pfx. Cipher will prompt you to create a password for the .pfx file, which contains a private key and needs some protection. Anyone can run this command because all it does is create this pair of certificates. In essence, a user running this command creates a self-identifying ID card (i.e., the .pfx file) and an assurance of trustworthiness to EFS that the user can decrypt any and all files on this system (i.e., the .cer file). None of that’s worth a darn unless an administrator hands this “letter of introduction” to EFS.

In the second step, the soon-to-be data recovery agent (that’s you) needs to associate himself or herself with the newly created .pfx file. Double-click the recoveryguy.pfx file to start the Certificate Import Wizard. After clicking Next twice, the wizard will ask you for the password to the private key on the certificate. Fill in the password you told Cipher /r to use. Also, select the Mark this key as exportable check box (so that you can back up the certificate if necessary), and click Next. Click Next to let the wizard store the certificate, and click Finish.

Finally, in the third step, you’ll give that letter of introduction to the OS. Ensure that you’re logged on with an administrative account, and start up the local Group Policy Editor (GPE). Navigate to Local Computer Policy, Windows Settings, Security Settings, Public Key Policies, Encrypting File System. Right-click the Encrypting File System folder, and choose Add Data Recovery Agent. Doing so starts another wizard. Click Next to get to the Select Recovery Agents page. Click Browse Folders, and navigate to recoveryguy.cer. After you choose that file and click Yes, you’ll see that Windows has accepted the certificate, but that it has the name USER_UNKNOWN. Don’t worry: That’s normal. Click Next, then Finish.

Freely Decrypt
From this point forward, you can examine and decrypt anything encrypted by anyone on this system. Remember, if you’re the only user of a standalone (non-domain-joined) system, you just need to back up your EFS key. But if you’re the administrator of a system that more than one person uses, you need to do a bit more clicking and make yourself a data recovery agent. Or you can simply join those systems to a domain, and the work is already done for you!