Data Recovery and Private Encryption Keys in EFS
- Data Recovery and Private Encryption Keys in EFS
- Create Additional DRAs at the Domain and OU Levels
- Certificates
- Exporting the File Recovery Key
Windows 2000 expert Bill Boswell talks about data recovery in EFS, especially how to handle private encryption keys used to recover encrypted files.
In this article, I'll spend a little more time talking about data recovery and how to handle the all-important private encryption keys used to recover encrypted files.
Data Recovery Policies
EFS at the local desktops and laptops must have a copy of the file recovery key assigned to the DRA before it is capable of encrypting files. Member computers on a domain get the FR key via a Group Policy downloaded from a domain controller.
The default Domain Group Policy object has an Encrypted Data Recovery Agent policy. The policy holds a copy of the file recovery certificate for the DRA. Figure 1 shows what the Group Policy looks like in the Group Policy Editor.
Domain Security Policy showing Encrypted Data Recovery Agents policy
The EDRA policy must hold at least one certificate. If the policy is empty, EFS at the local machines will refuse to encrypt a file. This prevents encryption with no data recovery agent key to incorporate with the file.
So, if you want to disable EFS, you can export the Administrator File Recovery certificate to a transportable format and then remove the certificate from the EDRA policy. You can export right from the Group Policy Editor by right-clicking the certificate icon and selecting Export to launch the Certificate Export wizard.
NOTE
Be sure to delete just the certificate, not the entire policy. If no policy is available (rather than an empty policy), then member computers are free to use their local DRAs. This difference is transparent to users, so you won't know that you have a problem until you try unsuccessfully to recover a file using the domain DRA account.