Managing Key Archival and Recovery

Applies To: Windows Server 2008 R2

When users lose their private keys, any information that was persistently encrypted with the corresponding public key is no longer accessible. Using key archival and recovery helps protect encrypted data from permanent loss if, for example, an operating system needs to be reinstalled, the user account to which the encryption key was originally issued is no longer available, or the key is otherwise no longer accessible. To help protect private keys, Microsoft enterprise certification authorities (CAs) can archive a user's keys in its database when certificates are issued. These keys are encrypted and stored by the CA.

This private key archive makes it possible for the key to be recovered at a later time. The key recovery process requires an administrator to retrieve the encrypted certificate and private key and then a key recovery agent to decrypt them. When a correctly signed key recovery request is received, the user's certificate and private key are provided to the requester. The requester would then use the key as appropriate or securely transfer the key to the user for continued use. As long as the private key is not compromised, the certificate does not have to be replaced or renewed with a different key.

Key archival and recovery are not enabled by default. This is because many organizations would consider the storage of the private key in multiple locations to be a security vulnerability. Requiring organizations to make explicit decisions about which certificates are covered by key archival and recovery and who can recover archived keys helps ensure that key archival and recovery are used to enhance security rather than detract from security.

You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.

To configure your environment for key archival of Encrypting File System (EFS) certificates

  1. Create a key recovery agent account or designate an existing user to serve as the key recovery agent.

  2. Configure the key recovery agent certificate template and enroll the key recovery agent for a key recovery agent certificate. For information, see Identify a Key Recovery Agent.

  3. Register the new key recovery agent with the CA. For information, see Enable Key Archival for a CA.

  4. Configure a certificate template, such as Basic EFS, for key archival, and enroll users for the new certificate. If users already have EFS certificates, ensure that the new certificate will supersede the certificate that does not include key archival. For information, see Configure a Certificate Template for Key Archival.

  5. Enroll users for encryption certificates based on the new certificate template.

    Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued before key recovery was enabled, data encrypted with these certificates is not covered by key archival.

For more information about key archival and recovery, see Key Archival and Recovery in Windows ServerĀ 2008 (https://go.microsoft.com/fwlink/?LinkID=92523).

Additional references