Encrypted File Recovery...

[Neil]

Hi All,

Lots of info. floating around regarding this topic so I'll keep my
question(s) simple:

In a workgroup environment, what is the minimum I need to do to ensure that
I can recover encrypted data from a backup removable hard drive (backed up
weekly) if the original drive dies, given also that it is likely that the
removable (backup) drive may be caddied into another PC to recover the files
??

Many thanks,

Neil

 

[Roger Abell]

The "other" PC should be the same OS at the same service
pack/patch level as that originating the EFS encryption.
If a W2k/XP difference in involved there is a way with
registry settings to revert the XP to W2k compatibility
(but this lowers the EFS strength).

You should define a data recovery agent (DRA) and have
at least its encrypting certificate stored (not necessarily
the decryption key) in the PC where the EFS encrytion
originates.

You should maintain exports of the EFS certificate and key
from each account that uses EFS, keeping these safe on some
external storage with a password that will not be forgotten.
For XP and later you should use the password recovery
disk capability within each account. These apply to the
DRA also.

You should test accessing the "backed up" files when the
disk is on the other system. Not all methods of "backing up"
are totally safe with EFS files. Use of NTbackup.exe is a
safe method.

Encrypting File System in Windows XP and Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/CryptFS.asp
Best Practices for Encrypting File System
http://support.microsoft.com/?id=223316