Windows XP Pro: Using File Encryption - part 3
This time around it's safety first, as Dave Cook describes how to backup those all-important certificates
So far we've covered how to enable the Encrypting File Service (EFS) and how to create a recovery agent on a different user account to the one that holds your encrypted files.
As we explained in part two, a recovery agent allows you to access encrypted files should something happen to your user account. With that taken care of, you can begin encrypting all your important data.
If you wish you can simply move your data to the encrypted folder and have Windows automatically encrypt your files for you. Alternatively, you can follow our instructions in part one and start afresh by encrypting a different folder - such as the My Documents folder.
Before getting carried away, though, you should further protect the encrypted files by backing up both your personal certificate and the recovery agent's certificate. They're both extremely important because, without at least one of these keys, the encrypted files will be unusable.
Encrypted files are backed up in the normal way using the Windows Backup utility. The files remain encrypted as part of the backup media. However, the routine for backing up your personal encryption certificate is another matter.
Begin by logging on to your user account. Then open either the Certificates snap-in for the Microsoft Management Console or Internet Explorer. If it's the latter, select [Tools], [Internet Options] and click the [Content] tab.
- Click [Certificates] to open the Certificates dialogue box.
- On the Personal tab, select the certificate which describes itself as the Encrypting File System. There may be more than one certificate, so choose with care.
- Click [Export] to launch the Export Wizard, and then click [Next].
- Select Yes, Export The Private Key, and click [Next] twice.
- Specify the password for the .pfx file. Click [Next]. Specify the path and filename for the exported file.
- Click [Next], and click [Finish].
Now that you've exported a backup of the personal certificate (and stored it in a safe place) you're prepared for the following situations:
You lose your original key, or it becomes corrupt.
You wish to use your encrypted files on another computer.
Either of these two procedures requires an import of the personal certificate. We'll show you how to import your personal certificate later in the series.
Should the worst happen and your personal encryption certificate becomes unavailable for any reason, the recovery agent certificate provides you with an alternative for accessing your encrypted files. Thus, backing up this certificate is just as important as backing up your personal encryption certificate.
To backup the recovery agent certificate, log on to the same user account where you created the recovery agent and click [Start], [Run], and type secpol.msc to open the Local Security Settings console. Or go to Control Panel, Performance And Maintenance, Administrative Tools, and then Local Security Policy.
Go to Security Settings\Public Key Policies\Encrypting File System.
- Right click the certificate issued for the purpose of File Recovery.
- Then choose [All Tasks],[ Export To Launch The Certificate Export Wizard], and click [Next]. This opens the Export File Format page.
- Select the DER Encoded Binary X.509 (.CER) format, and click [Next].
- Specify the path and filename for the exported file. Click [Next], and then click [Finish].
- Finally, remember to store all your certificate files in a secure place.
In our next look at EFS we'll show you how to remove the recovery agent's private key from the computer. It's a vital operation, otherwise anyone with the correct password will be able to view your encrypted files simply by logging on to the account holding the Recovery Agent.