EFS AND RECOVERY AGENTS

[Chris]

Hi All,

I am reading the book "Windows XP Inside Out" by MS Press. I am at the
chapter that talks about using EFS in a workgroup setting. It states that
when creating the data recovery certificate using "cipher /r:filename", it
warns that the resulting .pfx and .cer files should be removed and stored
externally because these files allow anyone to become a recovery agent.

The next stage of the process is to import the .pfx file to the users
certificate store using certificate manager, then import the .cer file into
Local Security Settings (secpol.msc). That user is now a data recovery
agent. The way I understand it, is that these same files are used to
designate any further recovery agents in exactly the same way.

My query is when using EFS in XP Pro in a workgroup, and you want to
designate more than one user to become a recovery agent, are their recovery
agent certificates the same?

Any help with this query would be appreciated.

Cheers - Chris

 

[Dusko Savatovic]

I'll try to give you a simple explanations, so I apologize if it's too
simple.

It goes like this:

1. Ana encrypts file and wants that Bob and Cathy can recover her file. Ana
encrypts file with FEK (File encryption key).

2. Ana makes two additional copies of FEK.
Imagine that these keys are real metal keys.

3. Ana drops these keys in Bob's and Cathy's mailbox.
Imagine it is real metal mailbox.

4. Bob opens his mailbox with his own key. Bob retreives FEK and reads Ana's
file.

5. Cathy opens her mailbox with her own key. Cathy retreives FEK and reads
Ana's file.

That's all

Dusko Savatovic