My understanding is that the backup and recovery of keys is very important. I do not have a certificate authority available to create the certificates of recovery agents. What are the steps or processes I need to take to ensure that I can recover the encrypted files if I do not want to use the default administrator account in each laptop as the recovery agents?
First, I would strongly recommend that users use machines that are joined in a domain. This way the domain admin will be the default recovery agent, not the local admin. (With Windows XP there is no default recovery agent; however, XP in a domain will use the recovery agent if one exists.)
You can remove the private key (not the certificate, but the private key) from the domain controller (DC), and keep it safe. The public key will be used to encrypt the FEK (File Encryption Key) of the encrypted files. If you follow best practices and not allow anyone to log on using the domain administrator account, you can reserve that account to be used for recovery if necessary. You can log on using the account to recover stations (a computer set up for this purpose) and import the certificate and private key, then recover the files. The private key needs to be removed from the recovery station.
Second, I would advise that all users who do encrypt files be taught how to make their own backup of their keys and how to keep this copy safe and away from their laptop.
As a third recommendation, traveling users can remove their private key from the laptop and carry it on a floppy in a safe container separate from the laptop. They can import it to decrypt files while on the road, and export it when traveling or when locking the computer in their hotel room (locked to something solid with a computer lock or in a safe). If the laptop is stolen, since no private key is on board, no attacker can decrypt the files.
Finally, make sure all laptops are purged of old administrator account default certificates and keys!
And make sure you test these scenarios before sending folks on the road!
This was first published in March 2003