Remember to Back Up those Encrypting File System (EFS) Keys

The Encrypting File System (EFS) uses the private key on the user’s EFS certificate to encrypt files on disk. You can find this user certificate in the Certificates MMC snap-in and the certificate will have listed as its usage File Encryption. This certificate is extremely valuable to you, since if you lose the private key included in the certificate, you won’t be able to decrypt the files that you have encrypted on your hard disk.

Well, that’s not completely true. There is something called the EFS Recovery Agent. If you are running your computers in a Windows domain, then the default Recovery Agent will be the Administrator account on the first domain controller you installed in your Windows domain. You can use the private key included in the Recovery Agent’s certificate to decrypt files that other users in the domain have encrypted. This allows the Recovery Agent to take ownership of the files and then use the Recovery Agent key to decrypt the files for the user in the event that the user loses his EFS certificate with his private key.

To keep safe, the user should back up his own EFS certificate and put it in a safe place that he can access in the event that the EFS certificate is lost or corrupted. The user can use the Certificates MMC to copy the certificate to an encrypted USB key. Then, if something bad happens to the certificate, the user can import the EFS certificate back to his computer and access his encrypted data.

In a similar fashion, you should back up the EFS Recovery Agent certificates in your domain. You can use the default Recovery Agent, or you can remove the default Recovery Agent and add another user as a domain Recovery Agent, Regardless of your choice of Recovery Agents, you should back up the Recovery Agent’s private key and certificate and put it in a safe place. I recommend that you copy the key to a safe place on site and lock it away, and also maintain another copy off-site in the event that your site is destroyed by fire or other horrible event.

Also, once you copy the Recovery Agent’s private key to at least two safe places, one on site and one off site, remove the Recovery Agent’s certificate from the machine. This makes sure that you are secure in the event that the machine containing the Recovery Agent’s key is stolen.

Also, for domain admins, you do have the option to automatically archive EFS keys in your enterprise certificate server environment. There are instructions on the Web site on how to automatically archive EFS keys so that you can recover user EFS keys without having to resort to using the Recovery Agent keys.

For more information about EFS, check out:



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top