Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Data recovery is important when you need to be able to recover data encrypted by an employee after the employee leaves, or when the user loses the private key. Data recovery is available through the Encrypting File System (EFS) as a part of the overall security policy for the system. For example, if you should ever lose your file encryption certificate and associated private key through disk failure, arson, or any other reason, the person who is the designated recovery agent can recover the data. In a business environment, an organization can recover data encrypted by an employee after the employee leaves.
EFS uses recovery policies to provide built-in data recovery. A recovery policy is a type of public key policy that provides for one or more user accounts to be designated as recovery agents.
A recovery policy is configured locally for stand-alone computers. For computers that are part of a network, a recovery policy is configured at the domain, organizational unit, or individual computer level, and applies to all Windows XP and Windows Server 2003 family-based computers that the policy applies to. A certification authority (CA) issues recovery certificates, and you use Certificates in Microsoft Management Console (MMC) to manage them.
In a domain, the Windows Server 2003 family implements a default recovery policy for the domain when the first domain controller is set up. The self-signed certificate is issued to the domain administrator. That certificate designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator. Additional recovery agents can be added to this policy and the original recovery agent can be removed at any time.
Because the Windows XP and Windows Server 2003 family security subsystems handle enforcing, replicating, and caching of the recovery policy, users can implement file encryption on a system that is temporarily offline, such as a portable computer. This process is similar to logging on to their domain account using cached credentials. For more information, see Change the recovery policy for the local computer and Create a recovery policy for a domain.
A recovery agent is an individual authorized to decrypt data that was encrypted by another user. Recovery agents do not need any other permissions to function in this role. Recovery agents are useful, for example, when employees leave the company and their remaining data needs to be decrypted. Before you can add a recovery agent for a domain, you must ensure that each recovery agent has been issued an X.509v3 certificate.
Each recovery agent has a special certificate and associated private key that allows data recovery wherever the recovery policy applies. If you are the recovery agent, you should be sure to use the Export command in Certificates in MMC to back up the recovery certificate and the associated private key to a secure location. After backing them up, you should use Certificates in MMC to delete the recovery certificate. Then, when you need to perform a recovery operation for a user, you should first restore the recovery certificate and associated private key using the Import command from Certificates in MMC. After recovering the data, you should again delete the recovery certificate. You do not have to repeat the export process.
To add recovery agents for a domain, you add their certificates to the existing recovery policy. For steps on how to add recovery agents to a domain, see Add a recovery agent for a domain.
Recovery agent information that has been added and removed is not automatically updated on existing EFS files. The information in these files is updated the next time the file is accessed. New files always use the current recovery agent information.