Securing the Recovery Key
As mentioned earlier in this chapter, it is recommended that you remove private keys for recovery agent accounts from the computers by exporting the keys to removable media and then putting the keys in locked storage. This should be done with the default recovery keys before any changes are made to recovery policy.
The Certificate Export wizard accomplishes this purpose. This wizard is available through the Certificates console (a Microsoft Management Console snap-in). For more information about using the Certificates console and the Certificate Export wizard, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.
If you are securing the recovery key for a stand-alone computer, log on as Administrator. The EFS recovery agent certificate is contained in the personal certificate store for the Administrator account.
If you are securing the recovery key for a domain, log on as Administrator on the initial domain controller created for the domain. The EFS recovery agent certificate is contained in the personal certificate store for the Administrator account of the first domain controller installed for the domain.
Use the Certificate Export wizard to export the certificate and private key to a removable medium. For information about how to export a certificate and its private key, see Certificates Help, and see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.
To delete the private key from the computer, you must select the Delete the private key if the export is successful check box on the Export File Format page of the wizard. When you have completed the wizard, the private key is deleted from the computer and the recovery agent certificate and private key resides in a .pfx file in the folder or drive that you have specified. Now you need to protect the .pfx file by putting it into secure storage.
To protect a .pfx file
If you created the .pfx file on a floppy disk, the file is right where it should be — on a medium that can be physically removed and locked away in another location. If you did not create the .pfx file on a floppy disk, copy it to a floppy disk and delete it from your hard disk drive.
Remove the floppy disk and make a backup copy of the .pfx file on another floppy disk. Store both floppy disks in safes or in a secure place. One floppy disk should be stored in a secure offsite location.
You then can use the Certificates console to import the .pfx file to a recovery computer and perform recovery operations. After recovering encrypted files, secure the private key again.
An alternative to securing the private key on removable storage media is to use physically secured stand-alone computers for recovery operations and leave the private key for recovery on the computer. You then log on to the recovery agent account and use the secure computer for data recovery only. It is important, however, that you keep a backup of the certificate and private key so you can restore them to the recovery computer if necessary. You can use the Certificate Export wizard to create a backup of the recovery agent certificate and private key, but make sure the Delete the private key if the export is successful check box is cleared before completing the wizard. You cannot use the computer for recovery if the private key is deleted.
You can also store the recovery agent certificate and private key on a smart card. You must map the smart card certificate to the designated recovery account by using the certificate mapping feature of the Active Directory Users and Computers console (a Microsoft Management Console snap-in). You then can perform recovery operations with the certificate and private key that are stored on the smart card. You can perform recovery operations from any Windows 2000–based computer in the domain that has a smart card reader. It is a good idea to maintain a secure backup of the recovery agent certificate and private key in case the smart card is damaged or ceases to work properly. As long as you have the recovery certificate and private key in archives, you can import the certificate and key to a computer and use it for recovery operations. For more information about storing certificates on smart cards, see "Windows 2000 Certificate Services and Public Key Infrastructure" and "Choosing Security Solutions That Use Public Key Technology," in this book. For more information about certificate mapping, see "Windows 2000 Certificate Services and Public Key Infrastructure" in this book.