Data Recovery Agent Information
Beware that any encryption can result in irretrievable loss of data if the keys/passwords are misplaced or destroyed; consult a qualified system administrator if you feel you need assistance.
Data Recovery Agent Information
When you become a DRA, first you must have rights to manage an Organizational Unit (OU) in Active Directory. To establish your OU rights, submit a HelpSU Request to the Windows System Group using Request Category: and Request Type:.
Next, submit a HelpSU request (using the same category and type shown above) to have a Group Policy Object (GPO) created for your OU. The Windows System Group will link it to your OU. If it is not linked to your OU, you may link it using these instructions.
Meanwhile, you may create your certificate.
- From a command prompt, type cipher /r:<file name>. For the file name, choose something you'll be able to remember like "certificate". Example: cipher /r:certificate.
System responds "Please type in the password to protect your .PFX file"
- Select an appropriately secure password that you will be able to remember.
- Confirm your password.
Your certificate (.CER) and private key (.PFX) are created.
These files (.CER and .PFX) must be exported to removable media. You may burn them to CD or USB thumbdrive. Store a copy of the exported file in a secured location.
- From Windows Explorer, go to the location you specified when creating the certificates.
- Move the files to your removable media.
- Verify that the files have been successfully copied.
- Delete the certificates from your computer.
Edit your GPO using the Group Policy Management Console (GPMC).
- In the GPMC, go to Computer Configuration>Windows Settings>Security Settings>Public Key Policies>Encrypting File System.
- In the right hand column, right-click and select Add Data Recovery Agent….
The Add Recovery Agent Wizard appears.
- Click the Next button.
- Click the Browse Folders button.
- Navigate to your certificates on your removable media. Select the .CER file and click Open.
The Recovery agents: box displays the certificate.
- Click Next.
- Click Finish.
Users are now ready to start encrypting files. If they have previously encrypted files, the next time the user touches the file, the DRA cert will be associated with the file. To force an update to all previously encrypted files, run ciper /u on the user's computer.
If users lose their keys or leave Stanford, you may recover their files. The process of recovery is similar to decryption once the recovery key is available on the system.
To recover a file or folder onto the file owner's computer:
- Bring your removable media with your keys and certificates (.CER and .PFX) to the file owner's computer.
- Import your certificate to the computer.
- Using Windows Explorer, right-click on your encrypted file or folder and select Properties.
- Click the Advanced button.
- Uncheck the Encrypt Contents to Secure Data checkbox and click OK.
- Click OK to close the Properties window.
- Remove your certificate from the computer.
To recover a file or folder onto a different computer:
- Back up the files or folder to a .bkf file from the system where they currently exist.
- Copy the .bkf file to the secured recovery agent's computer.
- The recovery agent should restore the files or folder in the .bkf file locally on a secured system.
- With a recovery key installed, the recovery agent can simply open each file, or use the Windows Explorer Properties dialog box to decrypt individual files or entire folders.
Additional Technical Information
Microsoft offers extensive documentation for EFS.
- Using Encrypting File System
- Step-by-Step Guide to Using the Encrypting File System
- Data Protection and Recovery in Windows XP—includes links to EFS Knowledgebase articles