Encrypting File System (EFS) lets you encrypt important
files so that life is tough for the folks trying to steal
sensitive data. However, like any encryption system,
EFS isn’t all wine and roses: If you lose your encryption keys,
not only will the bad guys be unable to read your data, you
won’t be able to read it, either. Key management and recovery
is therefore extremely important to any EFS user, and EFS’s
command-line tool Cipher (cipher.exe) can help.
Back Up Your EFS Key
The first time that you use EFS to encrypt something, your
system generates a random 256-bit number; that’s the key
that EFS uses whenever you encrypt something. To back up
your EFS key, simply use the Cipher /x command. Cipher
will reply with a message asking if you truly want to back
up your EFS key—sadly, I haven’t found a way to suppress
this message. Press OK. The tool will then prompt you for
the name of the file in which to store the backup. Don’t
specify a file extension; Cipher insists on the .pfx extension.
For example, if you picked a file named mybackup,
you now have a small file called mybackup.pfx. Next, the
tool will prompt you to create a password with which to
protect that file.
Once you’ve got that file created, copy it from your
computer’s hard disk to some offline location (e.g., a USB
stick, a CD-ROM) and make a note of the password you’ve
chosen. Now, in the event of unfortunate circumstances—
for example, you lose your profile, you forget your password
and a systems administrator has to reset it, the system’s OS
fails and you need to recover files directly from the nowdead
system’s hard disk—you can simply restore your EFS
key by double-clicking the .pfx file and running the resulting
wizard. As soon as the wizard is finished, you’ll be able to
get to your files again.
Make Yourself a Recovery Agent
But what if you’re the administrator of this system, and you
have to think of your users? You might not trust your users
to back up their EFS keys, and you’d hate to see the look on
their faces when they lose their keys and you’re forced to say,
“I can’t help you.” To avoid that, make yourself a recovery agent
for the standalone (non-domain-joined) system. (A recovery
agent can decrypt files even if he or she didn’t create them.)
And this is important: Do so before people start encrypting
files. In my experience, a recovery agent can decrypt any
files created after he or she became a recovery agent—not
before. You can make any user—administrator or not—into a
recovery agent, but for this example I’ll assume you’re making
yourself the recovery agent. The following process works
equally well for Windows Vista, Windows Server 2003, and
Windows XP.
First, execute the Cipher /r:recoveryguy command,
which creates two certificate files: recoveryguy.cer and recoveryguy.
pfx. Cipher will prompt you to create a password for
the .pfx file, which contains a private key and needs some
protection. Anyone can run this command because all it does
is create this pair of certificates. In essence, a user running this
command creates a self-identifying ID card (i.e., the .pfx file)
and an assurance of trustworthiness to EFS that the user can
decrypt any and all files on this system (i.e., the .cer file). None
of that’s worth a darn unless an administrator hands this “letter
of introduction” to EFS.
In the second step, the soon-to-be data recovery agent
(that’s you) needs to associate himself or herself with the
newly created .pfx file. Double-click the recoveryguy.pfx
file to start the Certificate Import Wizard. After clicking Next
twice, the wizard will ask you for the password to the private
key on the certificate. Fill in the password you told Cipher /r
to use. Also, select the Mark this key as exportable check box
(so that you can back up the certificate if necessary), and
click Next. Click Next to let the wizard store the certificate,
and click Finish.
Finally, in the third step, you’ll give that letter of introduction
to the OS. Ensure that you’re logged on with an administrative
account, and start up the local Group Policy Editor
(GPE). Navigate to Local Computer Policy, Windows Settings,
Security Settings, Public Key Policies, Encrypting File System.
Right-click the Encrypting File System folder, and choose Add
Data Recovery Agent. Doing so starts another wizard. Click
Next to get to the Select Recovery Agents page. Click Browse
Folders, and navigate to recoveryguy.cer. After you choose
that file and click Yes, you’ll see that Windows has accepted
the certificate, but that it has the name USER_UNKNOWN.
Don’t worry: That’s normal. Click Next, then Finish.
Freely Decrypt
From this point forward, you can examine and decrypt
anything encrypted by anyone on this system. Remember,
if you’re the only user of a standalone (non-domain-joined)
system, you just need to back up your EFS key. But if you’re
the administrator of a system that more than one person
uses, you need to do a bit more clicking and make yourself
a data recovery agent. Or you can simply join those systems
to a domain, and the work is already done for you!