Re: recovery agent keys/certs

From: jerry (anonymous_at_discussions.microsoft.com)
Date: 01/16/04 

Date: Thu, 15 Jan 2004 17:57:40 -0800

mgm,

    I hope your goal to create a Recovery Agent is to
ensure recovery of future encrypted data & not past
encrypted data otherwise you may be in trouble-- just
though i'd add that in aswell, as you may have read "EFS
is very good at what it does & there are NO backdoors -
else it would be pointless"--

BTW -- good points there drew-- i will be applying them to
my EFS practice..

Jerry.
>-----Original Message-----
>Great overview! I'd like to add a couple of points:
>- If you want to be especially secure you can
run "cipher /w" after you
>delete the .pfx file and empty the recycle bin.
(Otherwise a raw read of
>the volume could find the .pfx.)
>- After the new recovery agent is in place in group
policy have every user
>with encrypted files run "cipher /u". The recovery agent
of any given file
>is updated when the file is opened. "cipher /u" tries to
touch all the
>files on the machine, updating any that the user can open.
>--
>Drew Cooper [MSFT]
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"Jerry." <anonymous@discussions.microsoft.com> wrote in
message
>news:040801c3daff$85e970d0$a501280a@phx.gbl...
>> Hi,
>>
>> Here is a link that should help you out-
>> http://www.pcstats.com/articleview.cfm?
>> articleid=1508&page=6
>>
>> In short,
>>
>> Creating a recovery agent:
>>
>> Decide which user you wish to use as a data-recovery
>> agent. It is recommended that you use the built
>> in 'administrator' account. Login as this account.
>>
>> Go to 'start\run' and type 'cmd' to bring up the command
>> prompt.
>>
>> Type 'cipher /r:(pick a filename) to create a digital
>> certificate for a recovery agent. You will be prompted
to
>> set a password. This creates two files in the 'my
>> documents' folder of the current user. Be aware that
these
>> files can be used by anyone to become a data-recovery
>> agent, so it is wise to remove them after we are
finished
>> this procedure.
>>
>> And by remove them I mean delete the files and empty out
>> the "recycle bin." This effectively clears the files
from
>> the computer, or you can manage the same result by
holding
>> down the 'shift key' as you delete the selected files.
>>
>> Go to 'start\run' and type certmgr.msc.
>>
>> On the 'file to import' page, click 'browse' then change
>> the 'files of type' dropdown box to .pfx files
>>
>> Select the filename you created with the 'cipher /r:'
>> command. Type the password.
>>
>> Check the 'mark this key as exportable' box.
>>
>> Click 'next.'
>>
>> Choose the 'Automatically Select The Certificate Store
>> Based On The Type Of Certificate' option.
>>
>> Click 'next,' then 'finish.'
>>
>> Close the certificates console.
>>
>> Go to 'start\run' and type 'secpol.msc' to open the
local
>> security policies.
>>
>> Navigate to 'Security Settings\Public Key
>> Policies\Encrypting File System,' and
>> Choose 'Action\Add Data Recovery Agent.' Click 'Next.'
>>
>>
>> Click 'browse folders.' Open the filename you created
>> earlier with the 'cipher'
>> command. Click 'next' then 'finish.' The current user is
>> now a data-recovery agent and
>> can decrypt any EFS encrypted files on the system
>>
>> -- Still check out the link as it provides you with
screen
>> shots ok, - i had troubles getting EFS to work when i
>> first started with it ..but believe me once u get it
>> working..its awesome..
>>
>> best of luck
>>
>> anonymous
>> >-----Original Message-----
>> >I've attempted to set up a recovery agent. The XP help
>> files talks about the
>> >mmc and exporting/importing these certificates/keys,
but
>> I can't find any
>> >referrence to actually creating or obtaining the
>> keys/certificates. I'm the
>> >local computer admin and I need to recover an encrypted
>> file... Please tell
>> >me how to create the needed certs and keys.
>> >Thanks...
>> >mgm
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: How to add a domain user as a Data Recovery Agent
    ... Did you verify that the certificate issued to the user is indeed a Recovery ... I'm trying to figure out how to add a non-privileged, domain user account ... sure that the EFS Recovery Agent certificate template is published by my ...
    (microsoft.public.windows.server.security)
  • Re: EFS Recovery Agent
    ... You can use the cipher /R command on an XP Pro computer to generate a Recovery ... Agent certificate which would be the logged on user. ... associated with any EFS files. ... > to add a recovery agent using the Add Recovery Agent Wizard, ...
    (microsoft.public.windows.server.security)
  • Re: Encrypted files - cant access
    ... I don't have a backup of the certificate key. ... help where it talks about how to recover encrypted data without the ... > that mean you had a backup of the recovery agent certificate key?? ...
    (microsoft.public.win2000.security)
  • Re: Data Recovery Agent
    ... "The file contains no certificates suitable for EFS Recovery. ... >> Also, my current user account is already an Administrator, so is it still ... >>> make your administrator a recovery agent or you can create a new user ... >>> administrator has a certificate that will enable him EFS function. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Recovery Agent
    ... I used to Cipher to generate a recovery certificate on my PC. ... I edited my default domain policy adding myself as a recovery agent, ...
    (microsoft.public.windows.server.security)