WINDOWS 2000 PROFESSIONAL
ADD RECOVERY AGENTS FOR EFS
Windows' Encrypting File System (EFS) provides on-the-fly encryption
and decryption of files on an NTFS volume, and it can help protect
sensitive data on vulnerable systems such as notebooks.
EFS uses the user's encryption certificate to encrypt and decrypt
the data. The encryption/decryption process is transparent to the
user because EFS uses the user's existing certificate for the encryption.
If the user's certificate is lost or corrupted, designated encrypted
data recovery agents can use their certificates to decrypt the data.
By default, the local Administrator account works as a recovery agent.
In some cases, however, it can be useful to specify other recovery
agents. You can do so for domain members through group policy, and
you can use local policy for stand-alone workstations.
To add recovery agents via local policy, follow these steps:
1. Export the target user's certificate to a .cer file using the Certificates
MMC snap-in or Internet Explorer (go to Tools | Internet Options,
select the Content tab, and click the Certificates button).
2. Go to Control Panel, open the Administrative Tools folder, and
double-click Local Security Policy.
3. Expand the Public Key Policies branch, and select Encrypted Data
4. Right-click Encrypted Data Recovery Policy, and choose Add.
5. Click Browse Folders, select the .cer file, and click Open.
6. Click Next, and click Finish.
This process is similar for domain members, but you must edit the
group policy object at the domain or OU level.
It's a good idea to place all of the recovery agents' .cer files in
a safe location in case you need them again. Choose a location that's
both physically secure and safe from drive or other hardware failures.