JSI Tip 4475. How to I restore my Encrypting File System (EFS) private key?

Jerold Schulman

November 20, 2001

2 Min Read
ITPro Today logo in a gray background | ITPro Today

NOTE: See tip 4474 for how to backup the EFS private key.

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q242296 contains:

IN THIS TASK

  • SUMMARY

  • Restore the Designated Recovery Agent's EFS Private Key on Another Windows 2000 Installation

  • Troubleshooting

  • REFERENCES


SUMMARY

This article describes how to import an EFS recovery key that was previously exported to file on a disk using the procedure outlined in the following Microsoft Knowledge Base article:

Q241201 How to Backup Your EFS Private Key to Allow Data Recovery


If you lose your Encrypting File System (EFS) private key (for example, your computer installation is destroyed), a designated EFS recovery agent must restore the files. The designated recovery agent uses his or her EFS recovery agent private key to decrypt the files so they can be recovered.

back to the top

Restore the Designated Recovery Agent's EFS Private Key on Another Windows 2000 Installation

  1. Log on to your computer using the local Administrator account, or an account that is a designated EFS recovery agent.

  2. Browse to the path and file name of the .pfx file to which you exported the EFS recovery agent's private key, and then right-click the file.

  3. Click Install PFX to start the Certificate Import wizard.

  4. Click Next and confirm the file location and name.

  5. Click Next. Type the password for the private key, and then click Next.

  6. Click Place all certificates in the following store, and then click Browse.

  7. Click Personal, and then click OK.

  8. Click Finish, click Yes to add the certificate, and then click OK.

back to the top

Troubleshooting


After you successfully import the certificate, you should be able to use the local Administrator account or the recovery agent account to decrypt the files on the computer that failed. To confirm this, open one of the encrypted files (it should be accessible). If you want to make the file accessible to a new user or the original user, you must decrypt the file by removing the advanced properties encryption attribute. The new user can then re-encrypt the files using the new private key.

back to the top

REFERENCES


For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Q223316 Best Practices for Encrypting File System

Q223178 Transferring Encrypted Files That Need to Be Recovered

Q241201 How to Back Up Your Encrypting File System Private Key

back to the top





Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like