Key Archival of EFS Recovery Certificate

As of version 7.6, Backup for Windows supports EFS-encrypted file backup and restore: encrypted files are backed up 'as is', i.e. in an encrypted state. To decrypt these files after restore to any location other than an original computer, add the Key Recovery Agent for EFS-encrypted files and archive this Agent certificate to a safe place.

Follow these steps:

Step 1. Add Key Recovery Agent Certificate Template

Add the Key Recovery Agent certificate template to the list of available certificate templates.

  1. Log in to the Certification Authority computer with administrative rights.
  2. In the Windows Administrative Tools, click Certification Authority. 3.On Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.

  1. Select the Key Recovery Agent in the list of certificate templates.

  1. Click OK to enable this certificate
  2. A Key Recovery Agent certificate template appears in the list of Certificate Templates

Now you are ready to request a personal administrator certificate using this Key Recovery Agent certificate template

| Top |

Step 2. Request Personal Administrator Certificate

To request a personal administrator certificate using the Key Recovery Agent template published above, proceed as follows:

  1. Open the MMC console and add or select the Certificates snap-in.
  2. Right-click the Certificates folder under personal store, and select All Tasks > Request New Certificate.

  1. In the Certificate Enrollment dialog, select Key Recovery Agent in the list of available certificates, then click Enroll.

  1. In Certification Authority click the Pending Requests folder.
  2. Right-click your pending request, then select All Tasks > Issue to issue a certificate requested above. Save the Request ID copy of the certificate to file.

  1. The certificate appears in the Issued Certificates folder. Right-click the certificate and select Open.

  1. Select Thumbprint and click Copy to file.

  1. Export certificate to file, for example, to archive-admin.cer with Certificate Export Wizard. On the Export file format step, select DER encoded binary X.509 (.CER).

  1. In Certification Authority snap-in, add and configure the Recovery Agent. Right-click the domain, then select Properties.

  1. Click Recovery Agents tab.
  2. Select the Archive the Key option. Click Add.

  1. Select the certificate you issued and verify the thumbprint of this certificate matches the thumbprint saved to the file above. Click OK.

  1. Restart Active Directory Certificate Services for changes to take effect.

  1. In Properties, click Recovery Agents to check if the certificate is in a valid status. Click Cancel.

  1. Add a new EFS template based on the Basic EFS template. On Certification Authority right-click Certificate Templates and select Manage.

  1. Right-click the Basic EFS template and select Duplicate Template.

  1. Configure the new template properties:
    • Name the template on the General tab

* On the Request Handling tab, select **Archive subjects's encryption private key**
* On the Cryptography tab, set the minimum key size

* On the Security tab, grant the Read permission to the Key Recovery Agent account

  1. Click Apply.
  2. Publish the created certificate template. On Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.

  1. Select your template by name and click OK to enable it.

Now you are ready to add this Key Recovery Agent to Group Policy | Top |

Step 3. Add a Key Recovery Agent Certificate Using Group Policy

  1. Open Group Policy Management snap-in
  2. Right click Default Domain Policy and select Link Enabled

  1. To edit Default Domain policy, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right click Encrypting File System and select Properties

  1. On the General tab for File Encryption System (EFS), select Allow.
  2. On the Certificates tab, select your template for EFS template for automatic certificate requests and clear the Allow EFS to generate self-signed certificates when a certification authority is not available check box.

  1. Click Apply.

Now you are ready to update group policies on the computers where you want to back up EFS files.

| Top |

Step 4. Force Update Group Policies

  • Login to original client computer, do the gpupdate /force

Now the created Group policy is used on this computer. You are ready to check if key archival can work properly.

| Top |

Step 5. Use Key Archival

  1. Log into original computer as standard user that does not have an EFS certificate.

  1. Create and encrypt a file.

  1. Make sure that the new user has access to the encrypted file.

  1. And the same certificate appears in the user personal store.

  1. Log into the Certificate Authority computer.
  2. In Certification Authority snap-in, click View > Add/Remove Columns....

  1. Add the Archived Key column, and move it to the top of the list. Click OK.

  1. Note that a standard user certificate was automatically issued and archived.

  1. Install previously exported Recovery Agent certificate c:\archive-admin.cer to the personal store of administrator on Certification Authority computer.

  1. Locate issued and archived ordinal user EFS certificate in Certification Authority and copy the serial number to the clipboard.

  1. Run PowerShell as Administrator.

  1. Execute the following commands in the PowerShell window, on the last step specify the recovered pfx password.
 cd /

mkdir keyrecoverdir

cd .\keyrecoverdir\

certutil -getkey 170000001b7f4141464204e1b500000000001b rawkeyinfo

certutil -recoverkey .\rawkeyinfo recovered.pfx

  1. Now the standard user .pfx certificate is recovered.

  1. Log into original client computer where you created the EFS- encrypted file.
  2. Delete the EFS keys /certificate.
  3. Place the recovered.pfx to file system.
  4. Install the recovered.pfx to the ordinal user personal certificate store.
  5. Log in again to the original client computer to uncache certificate thumbprint.
  6. Try to open your EFS-encrypted file to make sure everything is fine.

| Top |