Before You Begin: Learn the Dangers of EFS

Before You Begin: Learn the Dangers of EFS
EFS provides secure encryption of your most important information. The encryption is so secure that if you lose the key that allows you to decrypt your data, the information is effectively lost. By default, Windows provides no "back door" if your private key is lost, nor is there any practical way to hack these files. (If there were, it wouldn't be very good encryption.)

You can innocently lose your key in a number of ways. Suppose, for example, that you have stored your data in encrypted folders on a second volume (such as drive D). You notice that your computer is running sluggishly and its hard disk is overflowing with junk files—so you decide to reinstall Windows from scratch. Not worrying about your files on another partition, you format drive C and reinstall Windows. Although it's not apparent, reinstalling Windows creates new security identifiers (SIDs) for each user, even if you do everything exactly the same way as the last time you ran Setup. As a result, each user's encryption certificates are also different from the ones they replaced, and they can't be used to access the encrypted data stored on drive D. Even the Administrator account—which also has a new SID—can't decrypt the files from a different Windows installation.

Fortunately, with a little care, you can prevent these drastic scenarios. To learn about EFS and then begin safely using it for your important files, we recommend that you follow this approach:

Create an empty folder and encrypt it. (For details, see the next section, "Encrypting Your Data.")
Create a nonessential file in the encrypted folder (or copy a file to the folder)—and check to see that you can use it just as you would any ordinary file.
If your computer is not part of a domain, create a data recovery agent, a second user account that can be used to decrypt files should your personal encryption certificate become lost or corrupt. (For details, see Creating a Data Recovery Agent. )
Back up your file recovery certificate and your personal encryption certificate along with their associated private keys. (For details, see Backing Up Your Certificates.)
Note that you won't have a certificate to back up until you have encrypted at least one folder or file. A new Windows installation doesn't have encryption certificates; one is created the first time a user encrypts a folder or file.
Begin using EFS for your important confidential files.
In summary: If you encrypt files on a computer that is not joined to a domain, be sure to set up a data recovery agent. Back up both your personal certificate and the data recovery agent's file recovery certificate.