EFS - no policy? Include the private key in the export?



I just EFS-protected a folder and all subfolders and files under it. When I
look at the folder's properties, under Advanced, it shows it was encrypted.
I can run certmgr.msc to export my personal EFS security certificate.

I then wanted to export the recovery agent's (Administrator's) file recovery
certificate in case I need that. However, when I run secpol.msc and look
under Public Key Policies -> Encrypting File System, it says the policy is
empty (which is not the same as not configured).

At the time, I was logged under my own user account which is in the
Administrators group (so I have all admin permissions). Do I actually have
to be logged in under Administrator to export its file recovery certificate?
I didn't under Windows 2000. An administrator is an administrator and any
administrator-level account should be able to do what any of the others can
do, including whatever Administrator can do. Maybe Microsoft changed how XP
lets you get at certificates and other attributes of other admin accounts in
their over over eager protectiveness.

One other point. Is there any reason to NOT include the private key when
you export a security certificate? If you export without the private key
(i.e., all you export is the public key), you don't have to password-protect
the file. If you select to include the private key then you are prompted to
enter a password to protect the file (so no one else could use your private
key since the public key only has significance when paired with its private
key). If I need to restore the system or do a fresh install of the OS, why
wouldn't I want to use the same private key with that exported public key?
Would the exported public key even be usable if Windows were wiped and a
fresh install put on the drive (since the private key to pair with the
exported public key wouldn't be there anymore)?

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question