EFS Recovery Agent

[jx2dad]

I am setting up EFS on 5 laptops running WinXP SP2, all in standalone
mode, no domain controller. I know that I can create a recovery
certificate on one of the machines using the cipher /r command.

My question is this: Can I use the same certificate and private key as
the recovery agent certificate on all 5 machines? Or do I need to
create a separate recovery agent certificate for each machine? Ideally
I would like to use one recovery agent certificate so I don't have to
keep track of 5 different ones.

 

[Miha Pihler [MVP]]

Hi,

Yes, you could use this one certificate as recovery agent on all 5
computers. However, you must import this recovery agent on all 5 computers
(under Recovery Agent) before they start encrypting their documents (or you
will have additional work to do).

To import this certificate on all 5 computers, open Group Policy editor
(Start -> Run -> gpedit.msc) and drill down under Computer Configuration >
Windows Settings > Security Settings > Public Key Policies > Encrypted File
System. Here right click "Add Recovery Agent" and follow the wizard.

Store private key (usually file with .pfx extension) in a safe place. I
usually recommend copying it on two or more CDs and storing the CDs in a
safe place. Also, don't forget the password for the private key (defined
when you export the certificate with private key or when you generate it
with cipher tool). Best thing you can do is write it down and again store it
in a safe place...