EFS-Certificate and Private-Key Backup
Given that password reset disks can give you a false sense of security and are vulnerable to theft, you might choose an alternative method of granting a user access to his or her encrypted files. One alternative is to back up the EFS certificate and private key. If you have your EFS certificate and private key, you can always obtain your confidential data.
The first time you use your user account to encrypt a file, XP automatically creates your EFS certificate. You can use the Microsoft Management Console (MMC) Certificates snap-in to view and back up this certificate. To do so, enter
mmc
at the command line and select File, Add/Remove Snap-in. Click Add. Double-click Certificates, then click Finish, Close, and OK. Next, select Console Root, Certificates - Current User, Personal, Certificates. Figure 2 shows my EFS certificate. To back up a certificate, right-click the certificate and select All Tasks, Export. On the Certificate Export Wizard's first page, click Next, then click Yes, export the private key. (A backup copy of your certificate is useless without the private key.) After you click Next twice, the wizard asks for a password with which to protect this key. You won't be able to restore the certificate without this password, so make sure you remember it. Enter the password twice for confirmation, then click Next. The wizard asks for a filename. You can save this certificate and private key either to a disk or to a shared folder on your network. The latter option is convenient if you manage many laptops but introduces a significant security risk. Remember that a skilled attacker who can obtain a copy of the user's certificate and private key and gain access to the user's computer might be able to gain access to the user's encrypted files. Therefore, you might ultimately decide to move backup certificates to an offline CD-ROM that you store in a secure place.
Now that you have a backup of the user's EFS certificate, you're protected against password-reset situations in which the user loses access to encrypted files. If the user uses an outdated password reset disk (a disk made before one or more subsequent password changes) to reset his or her password, or if an administrator of the local computer resets the user's password, the user will lose access to encrypted files, as I explained earlier. However, you need only to re-import the backup of the user's EFS certificate and private key. When you re-import a certificate, XP—unlike Win2K—replaces the old certificate with your backup certificate and uses your current password to reprotect the certificate's private key.
To re-import a certificate and private key, open the Certificates snap-in. Instead of right-clicking your current certificate, select Action, All Tasks, Import, then click Next in the Certificate Import Wizard's first window. Click Browse and change File Type to Personal Information Exchange, which is the default file type for exporting a certificate. Highlight the certificate file and click Next. Enter the password you specified when you exported this certificate and Click Next twice, then Finish. You should now be able to access your encrypted files again.
Data-Recovery Agent
If you're already familiar with EFS from Win2K, you might be thinking of another way to regain access to encrypted files—by logging on as the data-recovery agent. EFS provides functionality for a data-recovery agent as a fail-safe method to prevent lost information in the event that the user's private key is lost or unavailable. On a Win2K computer, EFS disables file encryption unless you've specified at least one data-recovery agent in the Local Security Policy. By default, Win2K computers automatically use the built-in administrator account as the recovery agent. In XP, Microsoft removed this requirement so that, by default, no recovery agent exists. So don't plan to use data-recovery functionality unless you've configured the computer with a data-recovery agent and backed up the agent's certificate.
Don't Depend on It
I like XP's new password reset disk feature not because of the convenience for users who forget their passwords but because the feature makes EFS on workgroup computers less vulnerable to password-reset tools such as Ntpasswd. However, you can't depend on password reset disks to preserve access to encrypted files. A password reset disk becomes outdated if the user doesn't recreate it each time he or she changes a password.
Users can also lose access to their encrypted files if they reinstall XP or Win2K. Even if the users have backed up the files to disk or other backup media, they can't access those files after reinstalling the OS. When you reinstall XP or Win2K, you create a new SAM, user account, and user profile that have no record of your old EFS certificate. To access your files again, you'll need to restore a backup of your certificate and private key. The same applies if you restore encrypted files to a new computer: To access the files again, simply re-import the certificate and private key.