The Encrypting File System (EFS) enables users to securely encrypt files--a nearly effortless process because Windows 2000 automatically creates the keys needed to encrypt and decrypt the data. But if the user somehow deletes his or her EFS private key, the encrypted data could be inaccessible. However, Windows 2000 also creates a recovery agent key that can decrypt the data.

Windows 2000 encrypts files with the recovery agent's public EFS key, as well as the user's EFS key. This means you can use the recovery agent's key to decrypt the files if the user's key is lost.

By default, the local administrator account is the default recovery agent for computers in a workgroup. The domain administrator is the default recovery agent for computers in a domain.

To protect against inaccessible data if there's a problem with the user keys, you should back up the recovery agent key on any systems that use EFS. To export the key on a workgroup computer, follow these steps:

1. Log on to the local computer using the local administrator account, and run Secpol.msc.

2. Expand the Public Key Policies | Encrypted Data Recovery Agents branch.

3. In the right pane, right-click the certificate, and choose All Tasks | Export.

4. Choose Next when the wizard starts.

5. Choose Yes (Export The Private Key), and click Next.

6. Follow the remainder of the wizard using the default values, and specify a file to contain the key.

7. When the wizard finishes, copy the newly created file to a safe network share, or copy it to a disk and secure the disk in a safe location.

In the wizard, if you choose the option to remove the private key from the computer after the export is complete, you must restart the workstation or domain controller for the removal to be complete.

If you need to back up the recovery agent key for a domain, run Dompol.msc on the first domain controller in the domain. Use the same procedure as above to export the key to a file.