WINDOWS 2000 PROFESSIONAL
BACK UP THE RECOVERY AGENT KEY
The Encrypting File System (EFS) enables users to securely
encrypt files--a nearly effortless process because Windows
2000 automatically creates the keys needed to encrypt and
decrypt the data. But if the user somehow deletes his or her
EFS private key, the encrypted data could be inaccessible.
However, Windows 2000 also creates a recovery agent key that
can decrypt the data.
2000 encrypts files with the recovery agent's public EFS key,
as well as the user's EFS key. This means you can use the
recovery agent's key to decrypt the files if the user's key
default, the local administrator account is the default recovery
agent for computers in a workgroup. The domain administrator
is the default recovery agent for computers in a domain.
protect against inaccessible data if there's a problem with
the user keys, you should back up the recovery agent key on
any systems that use EFS. To export the key on a workgroup
computer, follow these steps:
Log on to the local computer using the local administrator
account, and run Secpol.msc.
Expand the Public Key Policies | Encrypted Data Recovery Agents
In the right pane, right-click the certificate, and choose
All Tasks | Export.
Choose Next when the wizard starts.
5. Choose Yes (Export The Private Key), and click Next.
6. Follow the remainder of the wizard using the default values,
and specify a file to contain the key.
When the wizard finishes, copy the newly created file to a
safe network share, or copy it to a disk and secure the disk
in a safe location.
the wizard, if you choose the option to remove the private
key from the computer after the export is complete, you must
restart the workstation or domain controller for the removal
to be complete.
you need to back up the recovery agent key for a domain, run
Dompol.msc on the first domain controller in the domain. Use
the same procedure as above to export the key to a file.