How to Back Up Your Encrypting File System Private Key

ID: Q241201

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server

SUMMARY

This article describes how to back up your Encrypting File System (EFS) private key so that you can recover encrypted data in the event that you lose the copy on your computer.


MORE INFORMATION

When you use EFS to encrypt the files on your computer, an EFS public key encrypts the files, and an EFS private key decrypts the files. If you lose the private key after a file is encrypted, the file cannot be recovered.

If your computer is a member of a Windows 2000 domain, the domain administrator can designate certain users as EFS recovery agents, who can recover data even if a specific user's private key is lost.

If your computer is not participating in a Windows 2000 domain, (for example, a stand-alone computer, or a computer in a Microsoft Windows NT 4.0-based domain structure), the local Administrator account is the designated EFS recovery agent. Because of this, you can recover your encrypted data only if you previously backed up the local administrator's private key.

WARNING: After you export the private key to a disk, store the disk in a secure place. If someone gains access to your EFS private key, he or she can gain access to your encrypted data.

To export your private key from Recovery Agent:

  1. Log on to your computer using the local Administrator account.

    NOTE: You must use the built-in Administrator account, not just an account with Administrator privileges.


  2. Click Start, click Run, type secpol.msc, and then click OK.


  3. Click the plus sign (+) next to Public Key Policies to expand this item.


  4. Click the Encrypted Data Recovery Agents category.


  5. In the right-hand pane, a certificate that is issued to "Administrator" with an intended purpose of "file recovery" is displayed. Right-click this item, and then click All tasks > export.


  6. Click Next.


  7. Ensure the Yes, export the private key option is selected, and then click Next.


  8. In the Export File Format dialog box, if you want to remove the private key associated with the Administrator account, click to select the Delete the private key if the export is successful check box.


  9. Click Next.


  10. Type and confirm a password to secure the exported key, and then click Next.


  11. You are prompted to save the certificate and the private key to a file. You should back up the file to a disk or removable media device, and then store the backup in a location where physical security of the backup is ensured. Type an appropriate file name, and then click Next.


  12. When the Completing the Certificate Export Wizard dialog box is displayed, verify the options that you selected, and then click Finish.


  13. When the The export was successful dialog box is displayed, click OK.


  14. You must restart your computer to complete the removal of the private key.



REFERENCES

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Q223316 Best Practices for Encrypting File System
Q230520 How to Encrypt Data Using EFS in Windows 2000
Q242296 How to Restore an EFS Private Key for Encrypted Data Recovery
To download the "Encrypting File System for Windows 2000" white paper, please visit the following Microsoft Web site:
http://www.microsoft.com/windows/server/Technical/security/encrypt.asp

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.