This tip is from TechRepublic’s weekly Windows 2000 Professional newsletter. Sign up instantly to begin receiving this free newsletter in your inbox.

The Encrypting File System (EFS) enables users
to securely encrypt files–a nearly effortless process because
Windows 2000 automatically creates the keys needed to encrypt and
decrypt the data. But if the user somehow deletes his or her EFS
private key, the encrypted data could be inaccessible. However,
Windows 2000 also creates a recovery agent key that can decrypt the

Windows 2000 encrypts files with the recovery
agent’s public EFS key, as well as the user’s EFS key. This means
you can use the recovery agent’s key to decrypt the files if the
user’s key is lost.

By default, the local administrator account is
the default recovery agent for computers in a workgroup. The domain
administrator is the default recovery agent for computers in a

To protect against inaccessible data if there’s
a problem with the user keys, you should back up the recovery agent
key on any systems that use EFS. To export the key on a workgroup
computer, follow these steps:

  1. Log on to the local computer using the local
    administrator account, and run Secpol.msc.
  2. Expand the Public Key Policies | Encrypted
    Data Recovery Agents branch.
  3. In the right pane, right-click the
    certificate, and choose All Tasks | Export.
  4. Choose Next when the wizard starts.
  5. Choose Yes (Export The Private Key), and
    click Next.
  6. Follow the remainder of the wizard using the
    default values, and specify a file to contain the key.
  7. When the wizard finishes, copy the newly
    created file to a safe network share, or copy it to a disk and
    secure the disk in a safe location.

In the wizard, if you choose the option to
remove the private key from the computer after the export is
complete, you must restart the workstation or domain controller for
the removal to be complete.

If you need to back up the recovery agent key
for a domain, run Dompol.msc on the first domain controller in the
domain. Use the same procedure as above to export the key to a