Ask the Expert

How can I select a different EFS recovery agent?

Hi, Roberta. There have been many requests in my organization to let laptop users (standalone machines) used EFS to encrypt files. I've been reading your articles and replies to questions on this topic.

My understanding is that the backup and recovery of keys is very important. I do not have a certificate authority available to create the certificates of recovery agents. What are the steps or processes I need to take to ensure that I can recover the encrypted files if I do not want to use the default administrator account in each laptop as the recovery agents?

Are you saying you don't want a recovery agent or you just don't want to have the local administrator be the recovery agent? I'm assuming the latter.

First, I would strongly recommend that users use machines that are joined in a domain. This way the domain admin will be the default recovery agent, not the local admin. (With Windows XP there is no default recovery agent; however, XP in a domain will use the recovery agent if one exists.)

You can remove the private key (not the certificate, but the private key) from the domain controller (DC), and keep it safe. The public key will be used to encrypt the FEK (File Encryption Key) of the encrypted files. If you follow best practices and not allow anyone to log on using the domain administrator account, you can reserve that account to be used for recovery if necessary. You can log on using the account to recover stations (a computer set up for this purpose) and import the certificate and private key, then recover the files. The private key needs to be removed from the recovery station.

Second, I would advise that all users who do encrypt files be taught how to make their own backup of their keys and how to keep this copy safe and away from their laptop.

As a third recommendation, traveling users can remove their private key from the laptop and carry it on a floppy in a safe container separate from the laptop. They can import it to decrypt files while on the road, and export it when traveling or when locking the computer in their hotel room (locked to something solid with a computer lock or in a safe). If the laptop is stolen, since no private key is on board, no attacker can decrypt the files.

Finally, make sure all laptops are purged of old administrator account default certificates and keys!

And make sure you test these scenarios before sending folks on the road!

This was first published in March 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: