Steganos Security Suite 7 - FREE! Get a FREE fully-working copy of Steganos Security Suite 7 (worth £49.99) when you sign up to the Practical PC Newsletter.

Protect your privacy, encrypt and hide sensitive data and much more...
We hate SPAM as much as you do and we promise never ever to sell, rent, loan or give away your personal information. We fully conform to the USA CAN-SPAM rules. Here's our privacy policy.

Windows XP Pro: Using File Encryption - part 4

In his penultimate look at EFS, Dave Cook shows you how to tighten security still further by removing the recovery agent's private key

With the Encrypting File Service (EFS) up and running on your computer, and having followed our advice with regard to certificate safety, all that remains is to tie up one remaining security issue. Do you remember the recovery agent we created in part two? Well, now it's time to remove the agent's private key from the computer.

Certificates Menu The reason for exporting the certificate is simple. By removing this key, you prevent someone else from accessing your encrypted files by logging on to the user account where the key is stored.

Safe Removal

To remove the recovery agent's private key, first log on to the account where you created the recovery agent.

Then select [Start], [Run] and type certmgr.msc to launch the Certificates snap-in for the Microsoft Management Console.
Go to Certificates - Current User and open Personal, Certificates.
Right click the File Recovery certificate (as identified in the Intended Purposes column), and then select [All Tasks], [Export]. This launches the Certificate Export Wizard. Click [Next].
Select Yes, Export The Private Key, and click [Next].
Select Enable Strong Protection. Also select Delete The Private Key If The Export Is Successful. Click [Next].
Enter a strong password (twice), and click [Next].
Specify the path and filename for the exported file. Click [Next], and then click [Finish].

Note that the file should be copied to a floppy or other removable disk and stored in a secure location, just as you did with the other certificates. Finally, ensure the file is removed from the hard disk.

With the certificate removed from the system, the recovery agent will no longer be able to view the encrypted files.

Safe Recovery

Assuming you followed our recommendations concerning all certificates, your encrypted files are now safe from prying eyes. Furthermore, you will be in a great position to recover the files should anything happen to them or to your user account - as long as you've backed up the files previously, of course.

To re-establish the recovery agent's right to access to your encrypted files, you need to import the recovery agent's key back to the system. This is achieved using the same procedure as for importing a personal certificate - and we'll show you how to do that next time, in our final look at the Encrypting File System.

The series:

Guide: Windows XP Pro: Using File Encryption - part 1

Guide: Windows XP Pro: Using File Encryption - part 2

Guide: Windows XP Pro: Using File Encryption - part 3

Guide: Windows XP Pro: Using File Encryption - part 5

Dave Cook

Practical computing for the rest of us

Windows XP Pro: Using File Encryption - part 4

In his penultimate look at EFS, Dave Cook shows you how to tighten security still further by removing the recovery agent's private key

Safe Removal

Safe Recovery