Windows' Encrypting File System (EFS) provides on-the-fly encryption and decryption of files on an NTFS volume, and it can help protect sensitive data on vulnerable systems such as notebooks.

EFS uses the user's encryption certificate to encrypt and decrypt the data. The encryption/decryption process is transparent to the user because EFS uses the user's existing certificate for the encryption.

If the user's certificate is lost or corrupted, designated encrypted data recovery agents can use their certificates to decrypt the data. By default, the local Administrator account works as a recovery agent.

In some cases, however, it can be useful to specify other recovery agents. You can do so for domain members through group policy, and you can use local policy for stand-alone workstations.

To add recovery agents via local policy, follow these steps:

1. Export the target user's certificate to a .cer file using the Certificates MMC snap-in or Internet Explorer (go to Tools | Internet Options, select the Content tab, and click the Certificates button).

2. Go to Control Panel, open the Administrative Tools folder, and double-click Local Security Policy.

3. Expand the Public Key Policies branch, and select Encrypted Data Recovery Policy.

4. Right-click Encrypted Data Recovery Policy, and choose Add.

5. Click Browse Folders, select the .cer file, and click Open.

6. Click Next, and click Finish.

This process is similar for domain members, but you must edit the group policy object at the domain or OU level.

It's a good idea to place all of the recovery agents' .cer files in a safe location in case you need them again. Choose a location that's both physically secure and safe from drive or other hardware failures.