Problem solve Get help with specific problems with your technologies, process and projects.

When should I back up users' private keys?

We are currently looking to support encryption on the laptops of our home-based users (just on the local computers -- not on our servers). I'm looking to find out when I should back up users' private keys. Obviously, I should get the local admins backed up as they will be the Recovery Agent, and have a copy of the users' keys initially, but do the keys change leaving the backups useless? For example, if the user's password changes, if an administrator forces a PW change, installation of service packs, etc.

When using Windows Encrypting File System, it is imperative the keys are backed up. I am so glad that you realize that. I don't know if you are using Windows 2000 or Windows XP on the desktop, so I'll provide some information on both. There are several issues here:

First, keys do not just change arbitrarily, in most cases the keys will only change if the certificate expires, unless some action has been taken. Here's a list of potential times when keys may change.

  • The user's profile gets deleted or corrupted. When a new profile is created, a new certificate is created from newly generated public and private key pair.
  • If you set up a file server to store encrypted files on and users do not use roaming profiles. New keys, different ones from the ones on the desktop.
  • With Windows XP, not joined in a domain, if the local administrator resets the user's password, association with the key pair is lost; the user cannot decrypt the encrypted files. A new key pair can be generated. (If the user changes his password, no problem will occur. In a domain, this is not an issue.)
  • The keys are exported and the choice to remove the private key is selected. If keys can be successfully exported -- the private key is deleted.
  • The user's certificate is deleted.
  • The user uses a different computer.
  • The operating system is reinstalled.

Remember, keys do not arbitrarily change, you have to do something, or something has to happen that removes or damages the existing keys, or the certificate must expire. However, things do happen. This, of course is why you back up keys, even if a new key pair is generated, if you have a backup of the old, you can decrypt those old files.

Second: Are desktop machines members of a domain? If they are, the domain administrator is the default recovery agent, not the local administrator. Don't forget to backup the domain administrator keys. If machines are not members of a domain, then Windows 2000 local administrator is the default recovery agent. However, Windows XP Professional does not have a recovery agent! So, do backup recovery agent keys if there is a recovery agent. The same possibilities exist for lost, damaged or deleted keys.

Finally: As you might guess, backing up user keys on a one by one basis cam really be a chore. Keeping track of possible changes can add to the management picture. Do make backups, and if you cannot move to a PKI based implementation, train users on how to backup their own keys, and how to protect these backups.

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.