Data recovery is important when you need to be able to recover data encrypted by an employee after the employee leaves or when the user loses the private key Data recovery is available through the Encrypting File System (EFS) as a part of the overall security policy for the system. For example, if you should ever lose your file encryption certificate and associated private key through disk failure, arson, or any other reason, the person who is the designated recovery agent can recover the data. In a business environment, an organization can recover data encrypted by an employee after the employee leaves.
EFS uses recovery policies to provide built-in data recovery. A recovery policy is a type of public key policy that provides for one or more user accounts to be designated as recovery agents.
A recovery policy is configured locally for stand-alone computers. For computers that are part of a network, a recovery policy is configured at the domain, organizational unit, or individual computer level and applies to all Windows XP-based computers that the policy applies to. A certification authority (CA) issues recovery certificates and you use the Certificates snap-in to manage them.
In a domain, Windows XP implements a default recovery policy for the domain when the first domain controller is set up. The domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator. Additional recovery agents can be added to this policy and the original recovery agent can be removed at any time.
Because the Windows XP security subsystem handles enforcing, replicating, and caching of the recovery policy, users can implement file encryption on a system that is temporarily offline, such as a portable computer. This process is similar to logging on to their domain account using cached credentials. For more information, see To change the recovery policy for the local computer and To change the recovery policy for a domain
A recovery agent is an individual who is authorized to decrypt data that was encrypted by another user. Recovery agents do not need any other permissions to function in this role. Recovery agents are useful, for example, when employees leave the company and their remaining data needs to be decrypted. Before you can add a recovery agent for a domain, you must ensure that each recovery agent has been issued an X.509v3 certificate.
Each recovery agent has a special certificate and associated private key that allows data recovery wherever the recovery policy applies. If you are the recovery agent, you should be sure to use the Export command in the Certificates snap-in in Microsoft Management Console (MMC) to back up the recovery certificate and the associated private key and store it in a secure location. After backing them up, you should use Certificates to delete the recovery certificate. Then, when you need to perform a recovery operation for a user, you should first restore the recovery certificate and associated private key using the Import command in Certificates. After recovering the data, you should again delete the recovery certificate. You do not have to repeat the export process.
To add recovery agents for a domain, you add their certificates to the existing recovery policy. For steps on how to add recovery agents to a domain, see To add a recovery agent for a domain
Recovery agent information that has been added and removed is not automatically updated on existing EFS files. The information in these files is updated the next time the file is accessed. New files always use the current recovery agent information.