mercredi 30 janvier 2008

Backing Up Your Certificates

Backing Up Your Certificates
When you use encryption for the first time (and you don't already have a certificate that's valid for EFS), Windows creates a self-signed certificate for EFS. (Self-signed means that the certificate has not been granted by a trusted certification authority that can confirm your identity. Such verification is unnecessary for this purpose; in this case, the signature merely confirms that the certificate was created while your account was logged on.) This certificate becomes your personal encryption certificate, and it contains the public/private key pair used for encrypting and decrypting files while you're logged on.

Each user who encrypts files on a system has a personal encryption certificate. In addition, Windows can create a certificate for the designated data recovery agent. This certificate, whose purpose is shown as File Recovery, is not the same as that user's personal encryption certificate, whose purpose is shown as Encrypting File System.

All users should have a backup of their personal encryption certificate. More important, the system administrator should have a backup of the file recovery certificate and the data recovery agent's private key. Without one or the other of the certificates, encrypted files are unusable.

Backing Up the File Recovery Certificate
The file recovery certificate provides an administrative alternative for decrypting files if a user's personal encryption certificate is unavailable for any reason. Having a backup of this certificate is essential if you plan to use EFS.

To back up the file recovery certificate, follow these steps:

Log on as a member of the Administrators group.
In Local Security Settings (Secpol.msc), go to Security Settings\Public Key Policies\Encrypting File System. (In Windows 2000, the folder is called Encrypted Data Recovery Agents.)
Right-click the certificate issued to Administrator (or another user account) for the purpose of File Recovery. Choose All Tasks, Export to launch the Certificate Export Wizard, and then click Next.
Select DER Encoded Binary X.509 (.CER), and then click Next.

Specify the path and file name for the exported file.
Click Next and then click Finish.
Publié par à
Libellés : ,

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)