Generating a File Recovery Certificate

Generating a File Recovery Certificate
To generate a file recovery certificate, follow these steps:

Log on as an administrator.
At a command prompt, type cipher /r:filename, where filename is the name you want to assign to the stored certificate files. Do not include a filename extension.
When prompted, type a password that will be used to protect the files you create.
These steps generate both a .pfx file and a .cer file with the file name you specify.

CAUTION
--------------------------------------------------------------------------------

These files allow anyone to become a data recovery agent. Be sure to copy them to a disk and put it in a secure, safe place. Then erase these files from your hard disk.
INSIDEOUT
--------------------------------------------------------------------------------

An alternative to data recovery agents

The reason Windows XP does not have a default data recovery agent for stand-alone computers is to provide enhanced security. In Windows 2000, a thief who's able to crack the Administrator account (the default data recovery agent) has access to all the encrypted files on a stolen computer. With Windows XP, the only way a thief can get your encrypted data is by knowing your user name and password.

This extra security comes with some risk: If you forget your password, you're locked out of your own files, and you have no practical way to get them back. For that reason, we suggest creating a data recovery agent as one solution. However, another solution that's easier and, perhaps, more secure is to create a Password Reset Disk. For details, see Using a Password Reset Disk.