Friday, October 07, 2005

Backing up the Recovery Agent Key

This tip is for Windows XP Professional only.

The Encrypting File System (EFS) is part of the Windows XP Professional OS, it allows users to easily encrypt/decrypt their data files. The way EFS works is Windows automatically creates the keys needed to encrypt and decrypt the files. Then when a file is requested by an application Windows uses the keys to decrypt the file, and when the file is saved it automatically re-encrypts it.

To prevent these keys from being stolen, they're encrypted and stored as part of the user's account. A problem will happen if the user account is deleted, all the keys for encrypting and decrypting the files will be lost. This means the user's encrypted files, will not be able to be opened.

Although, Windows does include a recovery agent key that can decrypt the data, just in case the user's keys are lost. When Windows encrypts a file it uses the recovery agent's public EFS key, as well as the user's EFS key. What this means is that the recovery agent's key can be used to decrypt the files if the user's key is lost.

By default, the local administrator account is the default recovery agent for computers in a workgroup. The domain administrator is the default recovery agent for computers in a domain.

To protect the integrity of the recovery agent's keys, they should be backed up on any system that uses EFS. To export the user keys from a system that is part of a workgroup:
  • On the local computer, log on using the local administrator account.
  • From the Run... command type, "SECPOL.MSC".
  • Expand the 'Public Key Policies', and then the 'Encrypted Data Recovery Agents' branches.
  • In the right pane, right-click the certificate, and select 'All Tasks Export'.
  • Choose Next when the wizard starts.
  • Choose Yes (Export The Private Key), and press the Next button.
  • Follow the remainder of the wizard using the default values, and specify a file to contain the key.
  • When the wizard finishes, copy the newly created file to a safe network share, or to a disk. If you copied the keys to a disk, make sure to store it in a safe location.
In the wizard, if you choose the option to remove the private key from the computer after the export is complete, you must restart the workstation or domain controller for the removal to be complete.

If you need to back up the recovery agent key for a domain, run DOMPOL.MSC on the first domain controller in the domain. Use the same procedure as above to export the key to a file.

No comments: