Get a FREE fully-working copy of Steganos Security Suite 7 (worth £49.99) when you sign up to the Practical PC Newsletter. Windows XP Pro: Using File Encryption - part 2
With EFS enabled, it's time to create a recovery agent. Dave Cook says you won't regret it
If you've followed us thus far, you should now be running the Encrypting File System (EFS) on your computer. The next step is to create a recovery agent.
A recovery agent allows you to access encrypted files should something happen to your user account. But while recovery agents are created automatically when computers are connected to a domain, users of other computers must create their agents manually.
Note also that when creating a recovery agent, it should be assigned to a different user account to the one on which EFS is enabled. The reason here is obvious. If you create a recovery agent on your EFS-enabled user account and you accidentally damage or delete that account, you will almost certainly lose the key that allows you to decrypt the files.
Certificate
To create a recovery agent you first need to create a data recovery certificate. Usually, the recovery agent is assigned to the Administrator account, although you can select a different user account or create a new one if you so wish.
To generate a recovery certificate, log on as the Administrator (for example) and at a command prompt, type:
cipher /r:filename
Note that 'filename' should be replaced with a name of your choice. Then, when prompted, type a password to create two files with the extensions .cer and .pfx.
Be aware that the presence of these files allows anyone to become a recovery agent. So after creating the files, they should be moved to floppy, for example, and then safely stored elsewhere. We'll show you how to do that later in the series.
Agent
To create a recovery agent, remain logged on to the Administrator account.
- Click Start, Run, and type certmgr.msc to open the Certificates console.
- Go to Certificates - Current User\Personal, and choose Action, All Tasks, and Import to launch the Certificate Import Wizard.
- Click Next, and the File To Import page appears.
- Click Browse, and then select Personal Information Exchange in the Files Of Type box to see .pfx files.
- Select the .pfx file you created earlier, click Open, and then click Next.
- Enter the password you have already assigned to the certificate, and then select Mark This Key As Exportable.
- Click Next.
- Choose Automatically Select The Certificate Store Based On The Type Of Certificate.
- Click Next, and then click Finish.
Close the Certificates console, and click Start, Run and type secpol.msc. This opens the Local Security Settings console.
- Go to Security Settings\Public Key Policies\Encrypting File System, and choose Action, Add Data Recovery Agent. Click Next.
- Click Browse Folders and navigate to the .cer file you created earlier.
- Select the file and click Open. Click Next.
- The recovery agent is shown as USER_UNKNOWN. This is normal since the name isn't stored in the file. Click Finish.
That's it. The current user account is assigned as the recovery agent for all encrypted files on the system. So if something should happen to your own user account, you will still have the ability to log on to this account and recover the encrypted files.
Next Time
That's enough for now. Next time it's safety first as we show you how to backup those all-important keys.
The series:
Guide: Windows XP Pro: Using File Encryption - part 1
Guide: Windows XP Pro: Using File Encryption - part 3
Guide: Windows XP Pro: Using File Encryption - part 4
Guide: Windows XP Pro: Using File Encryption - part 5
