Recovery of Encrypted Files on a Server

Users may remotely encrypt files on a Windows 2000 server. The users' keys are stored on the server.

Windows 2000 permits a user to remotely encrypt files on a server if the server has an NTFS partition, and the server is trusted for delegation in Active Directory. Remote encryption requires that a user's certificate, and private key be loaded in a local profile on the server for encryption, and decryption operations. The server obtains access to the profile through Kerberos delegation. It is important to note that a user will have a profile, and private keys stored on the server even if the user has never logged on interactively to the server. Remotely encrypted files will only be encrypted by using the private keys stored in this profile. If a roaming profile is available, it will be copied locally for use.

The profile can be obtained through one of two ways:

1. The user has a roaming user profile (RUP), which is downloaded when the server impersonates the user.
2. The server generates a new local profile on behalf of the user, and subsequently requests, or generates a self-signed encrypting file system (EFS) certificate.

Remote encryption of files on a server introduces new challenges in disaster recovery that require administrators to take steps to preserve the ability of users to decrypt files that have been previously encrypted. In disaster recovery scenarios, if data files have been backed up, but not the secured user profiles containing the users' private keys (and RUPs are not used), users will not be able to decrypt, or access the previously encrypted files. If this should occur, only the Data Recovery Agent will be able to decrypt any previously encrypted files.

In order to avoid this scenario, several options exist:

1. Back up the full operating system, and profile hives, not just data files.
2. Use roaming user profiles.
3. In the case of a redirected My Documents folder to a file server through Group Policy, make a change in Group Policy Object (GPO) to redirect the My Documents folder to an alternate server. For example, if you are encrypting files in the My Documents folder, and the My Documents folder is redirected to a server through Group Policy, changing the server path in the Group Policy will mitigate the issue.