-----Original Message-----
Great overview! I'd like to add a couple of points:
- If you want to be especially secure you can run "cipher /w" after you
delete the .pfx file and empty the recycle bin. (Otherwise a raw read of
the volume could find the .pfx.)
- After the new recovery agent is in place in group policy have every user
with encrypted files run "cipher /u". The recovery agent of any given file
is updated when the file is opened. "cipher /u" tries to touch all the
files on the machine, updating any that the user can open.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Hi,
Here is a link that should help you out-
http://www.pcstats.com/articleview.cfm?
articleid=1508&page=6
In short,
Creating a recovery agent:
Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built
in 'administrator' account. Login as this account.
Go to 'start\run' and type 'cmd' to bring up the command
prompt.
Type 'cipher /r
pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to
set a password. This creates two files in the 'my
documents' folder of the current user. Be aware that these
files can be used by anyone to become a data-recovery
agent, so it is wise to remove them after we are finished
this procedure.
And by remove them I mean delete the files and empty out
the "recycle bin." This effectively clears the files from
the computer, or you can manage the same result by holding
down the 'shift key' as you delete the selected files.
Go to 'start\run' and type certmgr.msc.
On the 'file to import' page, click 'browse' then change
the 'files of type' dropdown box to .pfx files
Select the filename you created with the 'cipher /r:'
command. Type the password.
Check the 'mark this key as exportable' box.
Click 'next.'
Choose the 'Automatically Select The Certificate Store
Based On The Type Of Certificate' option.
Click 'next,' then 'finish.'
Close the certificates console.
Go to 'start\run' and type 'secpol.msc' to open the local
security policies.
Navigate to 'Security Settings\Public Key
Policies\Encrypting File System,' and
Choose 'Action\Add Data Recovery Agent.' Click 'Next.'
Click 'browse folders.' Open the filename you created
earlier with the 'cipher'
command. Click 'next' then 'finish.' The current user is
now a data-recovery agent and
can decrypt any EFS encrypted files on the system
-- Still check out the link as it provides you with screen
shots ok, - i had troubles getting EFS to work when i
first started with it ..but believe me once u get it
working..its awesome..
best of luck
anonymous
-----Original Message-----
I've attempted to set up a recovery agent. The XP help
files talks about the
mmc and exporting/importing these certificates/keys, but
I can't find any
referrence to actually creating or obtaining the
keys/certificates. I'm the
local computer admin and I need to recover an encrypted
file... Please tell
me how to create the needed certs and keys.
Thanks...
mgm
.
.