recovery agent keys/certs

M

mgm

I've attempted to set up a recovery agent. The XP help files talks about the
mmc and exporting/importing these certificates/keys, but I can't find any
referrence to actually creating or obtaining the keys/certificates. I'm the
local computer admin and I need to recover an encrypted file... Please tell
me how to create the needed certs and keys.
Thanks...
mgm
 
J

Jerry.

Hi,

Here is a link that should help you out-
http://www.pcstats.com/articleview.cfm?
articleid=1508&page=6

In short,

Creating a recovery agent:

Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built
in 'administrator' account. Login as this account.

Go to 'start\run' and type 'cmd' to bring up the command
prompt.

Type 'cipher /r:(pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to
set a password. This creates two files in the 'my
documents' folder of the current user. Be aware that these
files can be used by anyone to become a data-recovery
agent, so it is wise to remove them after we are finished
this procedure.

And by remove them I mean delete the files and empty out
the "recycle bin." This effectively clears the files from
the computer, or you can manage the same result by holding
down the 'shift key' as you delete the selected files.

Go to 'start\run' and type certmgr.msc.

On the 'file to import' page, click 'browse' then change
the 'files of type' dropdown box to .pfx files

Select the filename you created with the 'cipher /r:'
command. Type the password.

Check the 'mark this key as exportable' box.

Click 'next.'

Choose the 'Automatically Select The Certificate Store
Based On The Type Of Certificate' option.

Click 'next,' then 'finish.'

Close the certificates console.

Go to 'start\run' and type 'secpol.msc' to open the local
security policies.

Navigate to 'Security Settings\Public Key
Policies\Encrypting File System,' and
Choose 'Action\Add Data Recovery Agent.' Click 'Next.'


Click 'browse folders.' Open the filename you created
earlier with the 'cipher'
command. Click 'next' then 'finish.' The current user is
now a data-recovery agent and
can decrypt any EFS encrypted files on the system

-- Still check out the link as it provides you with screen
shots ok, - i had troubles getting EFS to work when i
first started with it ..but believe me once u get it
working..its awesome..

best of luck

anonymous
 
D

Drew Cooper [MSFT]

Great overview! I'd like to add a couple of points:
- If you want to be especially secure you can run "cipher /w" after you
delete the .pfx file and empty the recycle bin. (Otherwise a raw read of
the volume could find the .pfx.)
- After the new recovery agent is in place in group policy have every user
with encrypted files run "cipher /u". The recovery agent of any given file
is updated when the file is opened. "cipher /u" tries to touch all the
files on the machine, updating any that the user can open.
 
J

jerry

mgm,

I hope your goal to create a Recovery Agent is to
ensure recovery of future encrypted data & not past
encrypted data otherwise you may be in trouble-- just
though i'd add that in aswell, as you may have read "EFS
is very good at what it does & there are NO backdoors -
else it would be pointless"--

BTW -- good points there drew-- i will be applying them to
my EFS practice..

Jerry.
-----Original Message-----
Great overview! I'd like to add a couple of points:
- If you want to be especially secure you can run "cipher /w" after you
delete the .pfx file and empty the recycle bin. (Otherwise a raw read of
the volume could find the .pfx.)
- After the new recovery agent is in place in group policy have every user
with encrypted files run "cipher /u". The recovery agent of any given file
is updated when the file is opened. "cipher /u" tries to touch all the
files on the machine, updating any that the user can open.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

Here is a link that should help you out-
http://www.pcstats.com/articleview.cfm?
articleid=1508&page=6

In short,

Creating a recovery agent:

Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built
in 'administrator' account. Login as this account.

Go to 'start\run' and type 'cmd' to bring up the command
prompt.

Type 'cipher /r:(pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to
set a password. This creates two files in the 'my
documents' folder of the current user. Be aware that these
files can be used by anyone to become a data-recovery
agent, so it is wise to remove them after we are finished
this procedure.

And by remove them I mean delete the files and empty out
the "recycle bin." This effectively clears the files from
the computer, or you can manage the same result by holding
down the 'shift key' as you delete the selected files.

Go to 'start\run' and type certmgr.msc.

On the 'file to import' page, click 'browse' then change
the 'files of type' dropdown box to .pfx files

Select the filename you created with the 'cipher /r:'
command. Type the password.

Check the 'mark this key as exportable' box.

Click 'next.'

Choose the 'Automatically Select The Certificate Store
Based On The Type Of Certificate' option.

Click 'next,' then 'finish.'

Close the certificates console.

Go to 'start\run' and type 'secpol.msc' to open the local
security policies.

Navigate to 'Security Settings\Public Key
Policies\Encrypting File System,' and
Choose 'Action\Add Data Recovery Agent.' Click 'Next.'


Click 'browse folders.' Open the filename you created
earlier with the 'cipher'
command. Click 'next' then 'finish.' The current user is
now a data-recovery agent and
can decrypt any EFS encrypted files on the system

-- Still check out the link as it provides you with screen
shots ok, - i had troubles getting EFS to work when i
first started with it ..but believe me once u get it
working..its awesome..

best of luck

anonymous but
I can't find any
Click to expand...


.
Click to expand...
 
N

Neil

For those of us still grappling with EFS, am I correct to summarise as
follows:

1. Backing up EFS certificates (with private key) will allow for later
decryption of encrypted files
even if that users profile is destroyed, but only that users files will be
decryptable?

2. Creating a recovery agent is a per machine (workgroup?) setting,
allowing recovery of all encrypted
files on the machine (workgroup?) regardless of the profile used to encrypt
them in the first place?

3. Creating a recovery agent and / or backing up EFS certificates should be
done prior to creating encrypted
files?

Thanks.

Neil.

jerry said:
mgm,

I hope your goal to create a Recovery Agent is to
ensure recovery of future encrypted data & not past
encrypted data otherwise you may be in trouble-- just
though i'd add that in aswell, as you may have read "EFS
is very good at what it does & there are NO backdoors -
else it would be pointless"--

BTW -- good points there drew-- i will be applying them to
my EFS practice..

Jerry.
-----Original Message-----
Great overview! I'd like to add a couple of points:
- If you want to be especially secure you can run "cipher /w" after you
delete the .pfx file and empty the recycle bin. (Otherwise a raw read of
the volume could find the .pfx.)
- After the new recovery agent is in place in group policy have every user
with encrypted files run "cipher /u". The recovery agent of any given file
is updated when the file is opened. "cipher /u" tries to touch all the
files on the machine, updating any that the user can open.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

Here is a link that should help you out-
http://www.pcstats.com/articleview.cfm?
articleid=1508&page=6

In short,

Creating a recovery agent:

Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built
in 'administrator' account. Login as this account.

Go to 'start\run' and type 'cmd' to bring up the command
prompt.

Type 'cipher /r:(pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to
set a password. This creates two files in the 'my
documents' folder of the current user. Be aware that these
files can be used by anyone to become a data-recovery
agent, so it is wise to remove them after we are finished
this procedure.

And by remove them I mean delete the files and empty out
the "recycle bin." This effectively clears the files from
the computer, or you can manage the same result by holding
down the 'shift key' as you delete the selected files.

Go to 'start\run' and type certmgr.msc.

On the 'file to import' page, click 'browse' then change
the 'files of type' dropdown box to .pfx files

Select the filename you created with the 'cipher /r:'
command. Type the password.

Check the 'mark this key as exportable' box.

Click 'next.'

Choose the 'Automatically Select The Certificate Store
Based On The Type Of Certificate' option.

Click 'next,' then 'finish.'

Close the certificates console.

Go to 'start\run' and type 'secpol.msc' to open the local
security policies.

Navigate to 'Security Settings\Public Key
Policies\Encrypting File System,' and
Choose 'Action\Add Data Recovery Agent.' Click 'Next.'


Click 'browse folders.' Open the filename you created
earlier with the 'cipher'
command. Click 'next' then 'finish.' The current user is
now a data-recovery agent and
can decrypt any EFS encrypted files on the system

-- Still check out the link as it provides you with screen
shots ok, - i had troubles getting EFS to work when i
first started with it ..but believe me once u get it
working..its awesome..

best of luck

anonymous
-----Original Message-----
I've attempted to set up a recovery agent. The XP help
files talks about the
mmc and exporting/importing these certificates/keys, but
I can't find any
referrence to actually creating or obtaining the
keys/certificates. I'm the
local computer admin and I need to recover an encrypted
file... Please tell
me how to create the needed certs and keys.
Thanks...
mgm


.
Click to expand...


.
Click to expand...
Click to expand...
 
D

Drew Cooper [MSFT]

"Yes" to everything you asked, but here are my verbose answers:

1. Yes. To decrypt a file two things are needed a) read permissions (ACLs)
on the file and b) a certificate and private key of a user or recovery agent
on the file.

2. Recovery Policy is per-machine in a workgroup and is a machine policy set
per-GPO in a domain. By default Windows XP does not have a recovery policy.
By default, a domain will have one set in the "Default Domain Policy" but
not on other GPOs. "Workgroup" is misleading terminology that we're stuck
with now. It's probably better understood as "non-domain joined" because
policy isn't shared in a workgroup and must be set per-machine.

3. Yes. Create the recovery agent before users encrypt files so that you
guarantee that those files will have a recovery agent set on them, otherwise
it won't be applied until someone opens the file later. Export cert/key
pairs ASAP and put them in a safe place to avoid data loss.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Neil said:
For those of us still grappling with EFS, am I correct to summarise as
follows:

1. Backing up EFS certificates (with private key) will allow for later
decryption of encrypted files
even if that users profile is destroyed, but only that users files will be
decryptable?

2. Creating a recovery agent is a per machine (workgroup?) setting,
allowing recovery of all encrypted
files on the machine (workgroup?) regardless of the profile used to encrypt
them in the first place?

3. Creating a recovery agent and / or backing up EFS certificates should be
done prior to creating encrypted
files?

Thanks.

Neil.

jerry said:
mgm,

I hope your goal to create a Recovery Agent is to
ensure recovery of future encrypted data & not past
encrypted data otherwise you may be in trouble-- just
though i'd add that in aswell, as you may have read "EFS
is very good at what it does & there are NO backdoors -
else it would be pointless"--

BTW -- good points there drew-- i will be applying them to
my EFS practice..

Jerry.
-----Original Message-----
Great overview! I'd like to add a couple of points:
- If you want to be especially secure you can run "cipher /w" after you
delete the .pfx file and empty the recycle bin. (Otherwise a raw read of
the volume could find the .pfx.)
- After the new recovery agent is in place in group policy have every user
with encrypted files run "cipher /u". The recovery agent of any given file
is updated when the file is opened. "cipher /u" tries to touch all the
files on the machine, updating any that the user can open.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


Hi,

Here is a link that should help you out-
http://www.pcstats.com/articleview.cfm?
articleid=1508&page=6

In short,

Creating a recovery agent:

Decide which user you wish to use as a data-recovery
agent. It is recommended that you use the built
in 'administrator' account. Login as this account.

Go to 'start\run' and type 'cmd' to bring up the command
prompt.

Type 'cipher /r:(pick a filename) to create a digital
certificate for a recovery agent. You will be prompted to
set a password. This creates two files in the 'my
documents' folder of the current user. Be aware that these
files can be used by anyone to become a data-recovery
agent, so it is wise to remove them after we are finished
this procedure.

And by remove them I mean delete the files and empty out
the "recycle bin." This effectively clears the files from
the computer, or you can manage the same result by holding
down the 'shift key' as you delete the selected files.

Go to 'start\run' and type certmgr.msc.

On the 'file to import' page, click 'browse' then change
the 'files of type' dropdown box to .pfx files

Select the filename you created with the 'cipher /r:'
command. Type the password.

Check the 'mark this key as exportable' box.

Click 'next.'

Choose the 'Automatically Select The Certificate Store
Based On The Type Of Certificate' option.

Click 'next,' then 'finish.'

Close the certificates console.

Go to 'start\run' and type 'secpol.msc' to open the local
security policies.

Navigate to 'Security Settings\Public Key
Policies\Encrypting File System,' and
Choose 'Action\Add Data Recovery Agent.' Click 'Next.'


Click 'browse folders.' Open the filename you created
earlier with the 'cipher'
command. Click 'next' then 'finish.' The current user is
now a data-recovery agent and
can decrypt any EFS encrypted files on the system

-- Still check out the link as it provides you with screen
shots ok, - i had troubles getting EFS to work when i
first started with it ..but believe me once u get it
working..its awesome..

best of luck

anonymous
-----Original Message-----
I've attempted to set up a recovery agent. The XP help
files talks about the
mmc and exporting/importing these certificates/keys, but
I can't find any
referrence to actually creating or obtaining the
keys/certificates. I'm the
local computer admin and I need to recover an encrypted
file... Please tell
me how to create the needed certs and keys.
Thanks...
mgm


.



.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How do I add a "purpose" for recovery agent in a workgroup 2
What is the path to recover Encryption keys from Formatted HD 7
data recovery agent can't access encrypted files 3
Windows XP Encryption 3
recovery agent not able to "recover" 4
recovery agent EFS expire 3
Lost all public key's, and need to access encrypted files. Need Help! 9
EFS AND RECOVERY AGENTS 1

Top