Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to back up the recovery agent Encrypting File System (EFS) private key in Windows
Article ID: 241201 - View products that this article applies to.
This article was previously published under Q241201
This article describes how to back up the recovery agent Encrypting File System (EFS) private key on a computer that is running Microsoft Windows Server 2003, Microsoft Windows 2000, Microsoft Windows XP, Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2. Use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost. This article contains information about how to use the Certificate Export Wizard to export the recover agent's private key from a computer that is a member of a workgroup, and from a Windows Server 2003-based, Windows 2000-based, Windows Server 2008-based or Windows Server 2008 R2-based domain controller.
This article describes how to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, in Windows XP, in Windows Vista, in Windows 7, in Windows Server 2008 and in Windows Server 2008 R2. You can use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost.
You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After you decrypt the FEK, you can use the FEK to decrypt the file.
If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent's public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent's private key, you can decrypt the FEK, and then decrypt the file.
By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.
Note that a computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/255026/ )The local administrator is not always the default Encrypting File System recovery agent
Important After you export the private key to a floppy disk or other removable media , store the floppy disk or media in a secure location. If someone gains access to your EFS private key, that person can gain access to your encrypted data.
To locate the Encrypted Data Recovery policy, open the Default Domain Policy in the Group Policy Object Editor snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
To export the domain recovery agent's private key, follow these steps:
For more information about how to determine who the recovery agent is for an encrypted file , click the following article number to view the article in the Microsoft Knowledge Base:
243026For more information about EFS, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/243026/ )Using Efsinfo.exe to determine information about encrypted files
223316For more information about EFS in Windows Server, visit the following Microsoft Web site:
(http://support.microsoft.com/kb/223316/ )Best practices for Encrypting File System
http://www.microsoft.com/technet/security/guidance/cryptographyetc/efs.mspxFor more information about how to work with EFS in Windows Server 2003, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/a3aa1b1f-98c9-41b3-ba05-9424e316a0781033.mspxFor more information about related topics, visit the following Microsoft Web site:
Article ID: 241201 - Last Review: February 27, 2012 - Revision: 12.0