Encrypting File System |
Windows 2000 stores user certificates that contain the public keys in the Personal certificate store for the certificate owner's user account. A certificate provides assurance that the public key is bound to the specific subject (an individual or other entity) that owns the private key. Certificates are stored in plaintext because they are public information and they are digitally signed by certification authorities to protect against tampering. However, the private keys must be kept confidential so only the authorized owner has access to the private key.
Certificates are issued by certification authorities (CAs), which verify the identity of entities before issuing the certificates. EFS issues its own certificates if no CA is available. However, you can deploy Certificate Services to issue EFS certificates and provide the following benefits:
Each user has a personal certificate store that contains certificates that are issued to that user. User certificates reside in Documents and Settings\<username>\ApplicationData\Microsoft\SystemCertificates\My\Certificates for each user profile. These certificates in the user profile are written to the user's personal store in the system registry each time the user logs on to the computer. For roaming profiles, the user's certificates are located on the domain controller so the certificates follow users when they log on to different computers in the domain.
You can use the Certificates console, a
Figure 15.10 User Certificates in the Personal Certificate Store
Recovery agent certificates appear in the personal certificate store for the recovery agent account. Figure 15.11 shows an example of the personal certificate store for a recovery agent account.
Figure 15.11 Recovery Agent Certificates in the Personal Certificate Store
For more information about certificate stores and the Certificates console, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book. The recovery certificate displays "File Recovery" in the Intended Purposes column.
Recovery certificates also appear in the details pane of the Group Policy console (a
Figure 15.12 Recovery Agent Certificates in Recovery Policy
For more information about how to access the Encrypted Data Recovery Agents container and Group Policy, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.