But what is still unclear to me is how I prevent encrypted data loss, specifically. What file or file piece do I need to back up? And for that matter, how do I correctly (usably) restore so that data is recoverable?
Does the BACKUP ERD utility back up such keys/profiles? Prior to reading your Q&A article, I had assumed that as long as my files were backed up, I could be confident of rebuilding my PC, new HD and all, and restoring my data if my disk crashed. You obviously are saying I, and a great number of other people, are mistaken.
User profiles are managed under admin tools, but what do I need to do to back up my client's keys?
Thank you very much. Also, why aren't such warnings and procedures broadcast in flashing red 72-point type along with every mention of "back up your data in case your computer crashes"?
Instructions for archiving keys are available from the help system in Windows 2000 Professional, on Microsoft?s Web site, as well as in the presentation slides from my recent webcast.
In brief, you need to "export" your keys. You do this from the certificates snap-in startrunmmcaddremovesnap-snaddcertificatescloseok, then navigate to personalcertificates and then right click your EFS certificate in the detail pane and select "export." Don't forget to make sure you export the private key, and use a password to protect the file. Export to a floppy disk and store in a safe place. Record and store the password separately; you'll need it to "import" these keys should you need them.
And, yeah, I think there should be 72-point type or larger warning folks about this. The documentation does mention it, but most people don't read it or don't realize its importance.
This was first published in October 2002