It is important to keep the location of public and private keys in mind when working with user profiles. Figure 2 shows an example user profile with the location of the crypto keys used for EFS highlighted.
Key locations in user profiles
The user's private key, the one that decrypts the FEK and unlocks the encrypted files, is stored in the user's profile. Keep this private key in mind when you work with user profiles. If you delete the profile, the key is gone. Without the key, the user cannot open any of her encrypted files.
The private and public keys are stored in a section of the profile that roams with a roaming user. This is a good thing, because you don't want different keys used on different machines. However, you also don't want to leave a trail of private keys, regardless of how well protected they are. If you use roaming profiles, you should put a Group Policy in placed to delete profiles at logoff.
The DRA's private key is stored in the DRA's local profile on the first server where the DRA logged onto the domain. For the Administrator account in a domain, this would be the first domain controller in the domain.
Even if the Administrator account is used to log onto other computers, the Administrator's private key resides on only that first domain controller. Don't delete this profile unless you have exported the key and saved it in a safe place. I'll cover key exports in later articles.