The Encrypted Data Recovery Policy for Encrypting File System

ID: Q230490


The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server


SUMMARY

The Encrypting File System (EFS) supports data recovery by allowing recovery agents to recover file encryption keys (FEKs) and decrypt users' files. The Encrypted Data Recovery policy (EDRP) is configurable for both a domain and a stand-alone server and must be configured by an administrator.

Once the EDRP is configured, it can be updated to specify who can recover FEKs in the event that a user's private key becomes unavailable or unusable. This may occur when an individual user account becomes damaged, is deleted, or becomes otherwise unusable. Multiple recovery agents can be configured, and in no case is any user's private key revealed to a recovery agent. When a user's private key becomes unavailable, an agent can use his or her private key to decrypt the FEK that was originally used in the file encryption process. After the FEK is obtained, the recovery agent can then decrypt the user's file.


MORE INFORMATION

To assist in FEK recovery, each FEK is encrypted with all public keys in the EDRP. Each encrypted FEK is stored in the Data Recovery field (DRF) containing the FEK created when a file is encrypted. If there is one recovery agent, there is one DRF for each encrypted file. When there are two recovery agents, there are two DRFs for each encrypted file, and so on.

The default on a stand-alone server includes only the local administrator in the EDRP. After the Dcpromo tool is used and a domain is realized, a default EDRP is created for the entire domain. At this point, all members of the domain participate in the EDRP. This policy uses a self-signed certificate to make the administrator account the recovery agent.

To make changes on a stand-alone server and add recovery agents:

  1. Start the Microsoft Management Console (MMC).


  2. Add the Group Policy snap-in for the local computer (this is the default Group Policy Object).


  3. Open the following sections: Computer Configuration; Windows Settings; Security Settings; Public Key Policies; Encrypted Data Recovery Policy.


  4. Right-click Encrypted Data Recovery Policy, and then click Add.


  5. Follow the instructions in the wizard to add recovery agents.


To make changes to a domain structure and add recovery agents:
  1. Start the Microsoft Management Console (MMC).


  2. Add the Group Policy snap-in for the default domain policy. To do this, click Browse when you are prompted to select a Group Policy Object (GPO). You can also add GPOs for other domain partitions (specifically, Organizational Units).


  3. Open the following sections: Computer Configuration; Windows Settings; Security Settings; Public Key Policies; Encrypted Data Recovery Policy.


  4. Right-click Encrypted Data Recovery Policy, and then click Add.


  5. Follow the instructions in the Wizard to add recovery agents.


For additional information about EFS, please see the following article in the Microsoft Knowledge Base:
Q223316 Best Practices for Encrypting File System

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.