Removing the Private Key

Removing the Private Key
To prevent someone from simply logging on as Administrator (or another designated data recovery agent) and viewing another user's encrypted files, you can export and remove the data recovery agent's private key. Keep the key in a secure location—without it, you can't use the file recovery certificate.

To remove the data recovery agent's private key, follow these steps:

Log on with the account you designated as a data recovery agent.
In Certificates (Certmgr.msc), go to Certificates - Current User\Personal\Certificates.
Right-click the File Recovery certificate (so identified in the Intended Purposes column), and then choose All Tasks, Export to launch the Certificate Export Wizard. Click Next.
Select Yes, Export The Private Key, and then click Next.
Select Enable Strong Protection and Delete The Private Key If The Export Is Successful. Click Next.

Enter a password twice, and then click Next.
Specify the path and file name for the exported file.
Click Next and then click Finish.
As with the file recovery certificates, you should copy the file to a removable disk, store it in a secure location, and then remove the file from your hard disk.

The data recovery agent's public key is now used to encrypt a copy of the FEK with each encrypted file, but because the private key is not available, the data recovery agent can't view the files. To reestablish the data recovery agent's access to encrypted files, import the private key you just exported, using the same procedure as for importing a personal certificate. For details, see Importing a Personal Encryption Certificate.