Recovering Encrypted Data

Recovering Encrypted Data
The security policy for a computer or a domain can include a data recovery policy. (In Windows 2000, a data recovery policy is required.) This policy designates one or more users as data recovery agents; these users can decrypt encrypted files even if the personal encryption certificate used to encrypt the file is no longer available. This capability makes it possible to recover encrypted files after an employee leaves a company, for example.

If your computer is running Windows 2000 and is not part of a Windows domain, the local Administrator account is the default data recovery agent. In Windows XP, stand-alone computers have no default data recovery agent; you should create one. (For details, see Creating a Data Recovery Agent.) In a domain environment, the default data recovery agent is the Administrator account for the domain.

If your computer is a member of a domain, the domain administrator can designate additional users as data recovery agents. Using the domain's Enterprise Certificate Authority, the domain administrator creates file recovery certificates for these users and adds them to Public Key Policies\Encrypted Data Recovery Agents in Local Security Settings or, more likely, in the domain security policy.

Whether your computer is a domain member or in a workgroup, running Windows XP or Windows 2000, best practices suggest not storing the private key associated with the data recovery agent's file recovery certificate on the computer. (If it's stored on the computer, the data recovery agent has access to all users' encrypted files, a situation that removes the privacy protection that EFS is designed to provide.) To restore the data recovery agent's file recovery certificate or private key when it's needed, take these steps:

Log on as Administrator.
Use the Certificates dialog box to import the file recovery certificate. The procedure is the same as that used to import a personal encryption certificate; for details, see Importing a Personal Encryption Certificate.
If you need to recover encrypted files, it might be useful to know who encrypted the files in the first place. With Windows alone, you have no easy way to find out. However, you can use a tool named Efsinfo.exe to show who encrypted each file and who has permission to decrypt it, including any data recovery agents. If you have a Windows XP Professional CD, you can install Efsinfo (along with a number of other useful tools) by running \Support\Tools\Setup on the CD. Efsinfo is also available as a free download from Microsoft; browse to http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/efsinfo-o.asp. (If you prefer to type a shorter URL and don't mind clicking a few links, go to http://www.reskits.com and look for free tools in the Windows 2000 Resource Kit.)

Microsoft Knowledge Base article Q243026 has more information about Efsinfo.

A utility called EFSDump, from the good people at Sysinternals, is available at http://www.sysinternals.com/ntw2k/source/misc.shtml. Like Efsinfo.exe, EFSDump shows who encrypted a file and who has access to it.