Designating Data Recovery Agents

Designating Data Recovery Agents
You can designate any user as a data recovery agent. We recommend that you use the Administrator account.

CAUTION
--------------------------------------------------------------------------------

Do not designate the account you use to create encrypted files as a data recovery agent. Doing so provides little or no protection. If the user profile is damaged or deleted, you will lose all the keys that allow decryption of the files.
Follow these steps to designate a data recovery agent:

Log on with the account that you want to designate as a data recovery agent.
Using the Certificates snap-in (in Windows XP, type certmgr.msc at a command prompt), go to Certificates - Current User\Personal.
Choose Action, All Tasks, Import to launch the Certificate Import Wizard. Click Next.
Enter the path and file name of the encryption certificate (a .pfx file) you exported (see Figure 18-4), and click Next. If you click Browse, you must select Personal Information Exchange in the Files Of Type box to see .pfx files. Click Next.

Figure 18-4. Be sure to specify the .pfx file—not the .cer file to which the Browse button leads you by default.
Enter the password for this certificate, and then select Mark This Key As Exportable. Click Next.
Select Automatically Select The Certificate Store Based On The Type Of Certificate, and then click Next. Click Finish.
In Local Security Settings (Secpol.msc), go to Security Settings\Public Key Policies\Encrypting File System.
Choose Action, Add Data Recovery Agent. Click Next.
On the Select Recovery Agents page, click Browse Folders and then navigate to the folder that contains the .cer file you created. (The Browse Directory button searches Active Directory.) Select the file and click Open.
The Select Recovery Agents page now shows the new agent as USER_UNKNOWN. Don't be alarmed by the USER_UNKNOWN text; simply click Next and then click Finish.

The current user is now the data recovery agent for all encrypted files on this system.