Two proactive steps to protect data when using Windows EFS

Depending on the community that your network serves and the information contained on that network, the government may require you to encrypt that data. But even if you're not subject to such legislation, encryption can be a good idea.

Users have many responsibilities, and low on their list of priorities is managing security for the network. If you have a small business network or just a few Windows computers run in a workgroup environment, you can take advantage of the Windows Encrypting File System (EFS). If you aren't running EFS, I strongly advise you to do so.

However, nothing is fail-proof, and systems fail. That's why I also strongly advise you to plan for EFS failure.

Encryption is a great method for securing information, but it's entirely useless if you can't read that information due to a lost or damaged EFS key. If you've enabled EFS but forgot to back up your keys, here's the solution to that problem.

Create a local recovery agent

In a non-domain environment, such as a stand-alone computer or a workgroup, you must first create a local recovery agent if multiple users share the computer. If your computers have only a single user account, you can jump ahead to key recovery. However, I still recommend creating a local recovery agent -- you never know when you might add a user to that machine.

To create the recovery agent, follow these steps:

  1. Log onto the computer with an account that has administrator credentials.
  2. Go to Start | Run, type mmc, and click OK.
  3. Go to File | Add/Remove Snap-in, and click the Add button.
  4. In the Add Standalone Snap-in dialog box, select Group Policy Object Editor, and select Add.
  5. Under Group Policy Object, make sure it displays Local Computer, and click Finish.
  6. Click Close, and click OK.
  7. Under Local Computer Policy, navigate to the Local\Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies folder.
  8. Right-click Encrypting File System, and select Add Data Recovery Agent or Create Data Recovery Agent.
  9. Follow the wizard's instructions.

The wizard will prompt you for a username for the recovery agent. You can either use the name of a user with a published file recovery certificate, or you can browse for file recovery certificates (i.e., .cer files) that contain information about the recovery agent you want to add.

You can obtain file recovery certificates from certification authorities. To identify a file recovery certificate, go to the Certificates snap-in, and go to the Enhanced Key Usage field in the Details pane; look for the File Recovery ( value. Windows stores file recovery certificates as .cer files in the local computer file system or in Active Directory. When you add a recovery agent from a file, the system identifies the user as USER_UNKNOWN because it doesn't store the username in the file.

Back up private keys

Once you have EFS running and you've specified a key recovery agent, you can back up the private keys. Follow these steps:

  1. Log onto the computer by using the recovery agent's local user account.
  2. Go to Start | Run, type mmc, and click OK.
  3. Go to File | Add/Remove Snap-in, and click the Add button.
  4. Under Add Standalone Snap-ins, click Certificates, and select Add.
  5. Click My User Account, and click Finish.
  6. Click Close, and click OK.
  7. Double-click Certificates - Current User, double-click Personal, and double-click Certificates.
  8. Locate the certificate that displays File Recovery in the Intended Purposes column.
  9. Right-click the certificate, point to All Tasks, and click Export. This launches the Certificate Export Wizard.
  10. Click Next, select Yes, Export The Private Key, and click Next.
  11. Click Personal Information Exchange - PKCS #12 (.PFX), select the Enable Strong Protection option, and click Next. (Do not select the Delete The Private Key If The Export Is Successful check box; this will remove the private key from the computer, and you won't be able to decrypt any encrypted files.)
  12. Specify a password, and click Next.
  13. Enter a filename, specify the location where you want to export the certificate and the private key, and click Next
  14. Verify the displayed settings, and click Finish.

I recommend backing up the file to a removable media device (USB or CDROM/DVD) and storing that backup in a physically secure location.

Final thoughts

Encryption is an easy, painless method for adding a layer of security to your data. Regardless of whether it's a home computer or a corporate network, it's still personal and private information, and you need to take steps that will keep that information private and secure.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.