EFS and File Recovery
Windows 2000 expert Bill Boswell discusses Encryption File System and how to manage file recovery.
The Encryption File System is an intriguing but intricate new feature in Windows 2000.
At this point, we've seen how to deploy EFS in a domain while making sure that the domain Administrator account is incorporated as the data recovery agent (DRA) into each file. This ensures that we can always get to the contents of the file even if the encrypting user is not available.
The word recovery is something of a misnomer in EFS. There is no special recovery utility required to open encrypted files. A copy of the file encryption key used to encrypt the data portion of the file was encrypted with the private file recovery key issued to the DRA and was stored with the file. All the DRA needs to do is double-click on the file icon to open the file. A better term for a DRA would be a "secondary access account."
Recovering the file, though, is not as simple as just walking up to the laptop or desktop where the file resides, logging on as Administrator, and opening the file. The DRA's private file recovery key must be present on the machine to open the encrypted file. This private key does not reside on the local machine. It resides on the first domain controller in the domain, unless you followed my recommendation to export the key to a certificate and then remove it from the system.
An encrypted file cannot be copied to another computer by anyone other than the encrypting user. (There are further restrictions on encrypting files on remote servers that I'll discuss in the next article). So, to recover the file, you must either import the DRA private key at the computer where the file resides, or move the file to a computer where you have already imported the DRA private key.
I highly recommend that you not import the DRA private key on a local machine. This greatly increases the likelihood that you will forget to remove the key, or some ne'er-do-well will hack at the hard drive to retrieve a copy of the file. You should designate a specific computer (Windows 2000 server or desktop) to use for encrypted file recovery. Keep tight physical security on this recovery computer.
Also, remove the DRA public key from the recovery computer as soon as you finish recovering a file. This minimizes the possibility that someone with the Administrator password will log onto the machine and use the DRA private key to access files.