Preparing for EFS...

  • Thread starter Thread starter Neil
  • Start date Start date
N

Neil

Hi All,

As I regularly back up my data to a removable drive, I would like to encrypt
that data to protect it.....

Whilst I read that obviously the first step to encryption is to establish a
recovery
agent, I would like to know if there are any circumstances under which only
having
backed up the certificate and private key would leave me vulnerable....

What advantages does creating a recovery agent have over backing up the user
certificate
and private key for a single encrypt environment ??

Thanks,

Neil
 
Hi Neil,

Thanks for your posting here.

In fact, it is enough if you back up the recovery certificate and the
private key files to a safe location. In case that the key pair is lost or
damaged and you have not designated a recovery agent then there is no way
to recover the data. There is no workaround to this.

Since there is no way to get back data that has been encrypted with a
corrupt or missing certificate, it is critical that backups of the key
pair/certificate are made and then stored in a secure location. In
addition, a recovery agent can be specified. This agent has the ability to
restore the data. The recovery agents certificate serves a different
purpose than the user's certificate.

To create an EFS recovery agent, please refer to the following document.

887414 How to add an EFS recovery agent in Windows XP Professional
http://support.microsoft.com/?id=887414

Wish it helps.

Regards,
Bob Qin
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: "Neil" <[email protected]>
Newsgroups: microsoft.public.windowsxp.security_admin
Subject: Preparing for EFS...
Date: Tue, 2 Nov 2004 17:59:37 +1100

Hi All,

As I regularly back up my data to a removable drive, I would like to
encrypt
that data to protect it.....

Whilst I read that obviously the first step to encryption is to
establish a
recovery
agent, I would like to know if there are any circumstances under
which only
having
backed up the certificate and private key would leave me
vulnerable....

What advantages does creating a recovery agent have over backing up
the user
certificate
and private key for a single encrypt environment ??

Thanks,

Neil
 
Neil,

It should be enough just to back up the EFS certificate/key that was used to
encrypt your files. Configuring a recovery agent and then backing up that
cert/key adds another layer of complexity that you really don't need for a
standalone machine. If you have SP2 installed on your WXP machine, you can
run "cipher /x" at a command line to do the backup. Cipher will create a PFX
file which contains your cert and key. Copy this file to a floppy disk and
store it in a safe location. If you ever have a problem accessing your
encrypted files, insert the floppy into the machine and run the PFX file to
import (restore) your cert/key.

Thanks.
Pat
 
Back
Top