Re: EFS precautions

From: Torgeir Bakken (Torgeir.Bakken-spam@hydro.com)
Date: 09/09/02 

From: Torgeir Bakken <Torgeir.Bakken-spam@hydro.com>
Date: Mon, 09 Sep 2002 17:44:01 +0200

"Patrick M. Wanner" wrote:

> I'm using Windows XP Pro and have just protected my home directories with
> EFS. I am a bit concerned about the recovery policy, however.
>
> I was wondering if anyone could tell me which precautions are necessary for
> the disaster scenario of an XP crash? I've found tutorials here and there,
> but no real overview.
>
> What I've done at the moment is to export my personal certificate and my
> Data Recovery Agent certificate to a floppy (well I think that it's the DRA
> certificate, I remember creating a DRA in the MMC Policy Configurator). The
> thing is, a lot of tutorials say I should create a policy, that there should
> be an Encrypted Data Recovery Agents branch in the MMC tree, but I have no
> such entry.
>
> I would appreciate any help and tips to ensure that I will be able to
> recover my data should my system crash.

Hi

Did you create the DRA after you had already encrypted files? In that case, I
think you need to update all those files that are unchanged with this DRA.

I advice against using EFS if you are outside a domain, that is workgroup or
standalone computers. But if you must, in this link:
http://www.microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery/default.asp

it is described how to create a data recovery agent (DRA), and also gives
information/links on to how to export keys, e.g.

"Data Recovery on Standalone Machines"
"Importing and Exporting Data Recovery Agent Keys"

and at "Knowledge Base Articles on EFS" you will find e.g.

Q241201 How to Back Up Your Encrypting File System Private Key
Q259732 EFS Recovery Agent Cannot Export Private Keys
Q255742 Methods for Recovering Encrypted Data Files

Reading Q255742, will give you this as well:

Q241201 HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000
Q242296 How to Restore an EFS Private Key for Encrypted Data Recovery

If your computer is not a member of an AD domain, this is obligatory reading:

"Using EFS with Standalone Machines or NT 4.0 Domains" 

--
torgeir

Relevant Pages

  • Re: Replace Domain Controller
    ... Depending on your EFS recovery you may also want to backup your EFS private ... Export your Private Key from Recovery Agent ... private key so that you can recover encrypted data in the event that you ...
    (microsoft.public.windows.server.active_directory)
  • Re: Encrypting File System - Exporting Certificates and Keys
    ... > I have a number of folders that I have set to use EFS. ... > along with the private key to a file. ... If you set up a Data Recovery Agent as well and you ha already have encrypted ... Do not to use encryption unless you are in a domain and you know what you ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS
    ... This is a longshot by try using a data recovery program to see if it can ... find your EFS private key files that are stored in your user profile under ... private key and allow you access by entering the right password for it. ... links below are for EFS Recovery form Elcomsoft and links to Data Recovery ...
    (microsoft.public.windowsxp.security_admin)
  • Re: HELP!!! Cant open an encrypted file.
    ... Encrypting File System (EFS), or you will very likely loose your files one ... Best Practices for the Encrypting File System ... Back Up Your Encrypting File System Private Key in Windows 2000 ... 242296 How to Restore an EFS Private Key for Encrypted Data Recovery ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to make folder private from other users?
    ... It is not without reason that many calls EFS the "delayed Recycle Bin", ... Best Practices for the Encrypting File System ... 241201 How to Back Up Your Encrypting File System Private Key ... 242296 How to Restore an EFS Private Key for Encrypted Data Recovery ...
    (microsoft.public.windowsxp.general)