WinXP Pro Recovery Agent Backup

[jimshu1]

I have made my Administrator account my Recovery Agent for each one of my
systems. The Recovery Agent key was exported and deleted from the
Administrator account. I also have backed up the Administrator key and each
of the Account keys.

My question is: Why do I need both a .pfx and a .cer file when I backed up
and removed the Recovery Agent, and only the .pfx file when backing up the
User Account keys?

Thanks for any replies!

 

[jimshu1]

To put it simply, what would a person use the .cer Recovery Agent
certificate for.

 

[jimshu1]

The .pfx file is for data recovery (double click to install) and the .cer
file is for use in the policy (Local Security Settings | Action | Add Data
Recovery Agent)

 

[jimshu1]

Thanks jimshu1!

The .pfx file is for data recovery (double click to install) and the .cer
file is for use in the policy (Local Security Settings | Action | Add Data
Recovery Agent)

backed

 

[Drew Cooper [MSFT]]

Right. The .cer has only the certificate and the .pfx has both the
certificate and the private key. You need to put the .pfx somewhere safe.
Anyone with that private key will be able to decrypt everyone else's files
within the scope of the recovery policy.

After you install the .cer in the recovery policy, you can delete the .cer.
(You can always get the certificate form the .pfx, too.)