Security

  • Article

It is recommended that you remove private keys for recovery agent accounts from the computers by exporting the keys to removable media and then putting the keys in locked storage. This should be done with the default recovery keys before any changes are made to recovery policy.

The Certificate Export wizard accomplishes this purpose. This wizard is available through the Certificates console. For more information about using the Certificates console and the Certificate Export wizard, see Windows 2000 Professional Help or Windows 2000 Server Help.

You must log on as Administrator, because the EFS recovery agent certificate is contained in the personal certificate store for the Administrator account. You can then use the Certificate Export wizard to export the certificate and private key to a removable medium. For information about how to export a certificate and its private key, see Certificates Help.

To delete the private key from the computer, you must select the Delete the private key if the export is successful check box on the Export File Format page of the wizard. When you have completed the wizard, the private key is deleted from the computer and the recovery agent certificate and private key resides in a .pfx file in the folder or drive that you have specified. Now you need to protect the .pfx file by putting it into secure storage.

To protect a .pfx file

  1. If you created the .pfx file on a floppy disk, the file is right where it should be — on a medium that can be physically removed and locked away in another location. If you did not create the .pfx file on a floppy disk, copy it to a floppy disk and delete it from your hard disk drive.

  2. Remove the floppy disk and make a backup copy of the .pfx file on another floppy disk. Store both floppy disks in safes or in a secure place. One floppy disk should be stored in a secure offsite location.

You then can use the Certificates console to import the .pfx file to a recovery computer and perform recovery operations. After recovering encrypted files, secure the private key again.