EFS File Recovery

Windows XP and Windows Server 2003 provide many enhancements in the area of data protection— especially Encrypting File System (EFS). This article provides some common issues and file recovery practices to prevent encrypted files being inaccessible.

We often encounter problems when accessing encrypted files. For example, not able to access the data and getting permissions denied. To prevent EFS related issues, it is necessary to be aware of some common problems before you make any changes to an EFS environment.

Here we first list some common issues when trying to access an encrypted file:

a. Cannot access files after disjoining or joining a domain

When joining a computer to a domain that has EFS encrypted files, move keys from local account profile to new domain account profile for EFS access.

b. Cannot decrypt EFS files after resetting a password

Change the user’s password back to what it was before the reset.

c. Cannot access remote EFS encrypted files from Windows 9x or Windows NT 4.0 clients

By design the server blocks Pre-windows 2000 machines from opening a remote encrypted file.

d. Access Denied error attempting to access EFS encrypted files

    Locate the private key for the appropriate certificate and import it onto this computer using the Certificates snap-in. We recommend that you back up the recovery certificate (*.CER) and the private key files (*.PFX) to a safe location.

In addition, before we implement EFS, it is necessary to designate other users or recovery agents in case there are problems with the original user who encrypt the file. The following users can access the encrypted file.

1. The original user who encrypts the file

2. Users being added to give cryptographic access to that file.

Cryptographic access means the users are able to decrypt and encrypt the file, as well as add and remove other users. To add users to a file gives them cryptographic access to that file:

e. Right click on the folder or file, click Properties

f. Click Advanced. Click to check “Encrypt contents to secure data”

g. Click on the Details button brings up the Encryption Details dialog.

h. Add users to transparently access the file

3. Recovery Agents.

The Recovery Agent is optional on Windows XP Professional and Windows Server 2003 in order to provide organizations with greater flexibility in implementing data recovery strategies. The domain Administrator is the default recovery agent. To assign a Data Recovery Agent:

i. Logon to a computer with the account that you are going to be using for the EFS recovery agent.

j. Run MMC.exe and load Certificates for the current User.

k. Right click on the Personal Store. Click All Tasks, click Request New Certificate…

l. Chose the Recovery agent Certificate

m. Once you have the Recovery agent Cert. Export the Cert (without the private key to a .Cer file)

n. Copy the Cert to a DC

o. Open Active Directory Users and Computers. Edit your Default Domain Policy

p. Under Computer ConfigurationWindows Settings Security SettingsPublic Key Policies

q. Right Click on Encrypting File System and click on Add a recovery agent

r. Choose Folders. Browse to the .CER file and finish the wizard.

s. This will add the Recovery agent to all machines once Group Policy processing is done

The next time a new file is encrypted it will add the recovery agent to that file.

To recover an encrypted file or folder if you are a designated recovery agent:

a. Use Backup or another backup tool to restore a user's backup version of the encrypted file or folder to the computer where your file recovery certificate and recovery key are located.

b. Open Windows Explorer.

c. Right-click the file or folder and then click Properties.

d. On the General tab, click Advanced.

e. Clear the Encrypt contents to secure data check box.

f. Make a backup version of the decrypted file or folder and return the backup version to the user.