Barry (aka Fishbreakfast) came to me with an issue last week when I exclaimed:
I’m bored!
First off, don’t say you’re bored in the vicinity of the people who either a) are your boss or b) have more stuff to do than you do because you invariably come away with more stuff on your plate.
Anyway, the issue he had was that he had used Windows’ built-in Encrypting File System function to encrypt a few sensitive files. He got a new laptop, but didn’t either decrypt the files before transferring to the new laptop.
I can’t really blame him for that, though. Our assumption was that a Data Recovery Agent (RA) was enabled on our domain. Upon further investigation, we discovered that an RA, in fact, was *not* setup on the domain.
So, because I was bored, and because it is an interesting issue to look up, I hacked away at the problem until I could say definitively that Barry’s files could be decrypted. Or the files were toast.
We have an Enterprise Certificate Authority installed into our Domain, so EFS/Recovery certificates are very easy to come by. What isn’t quite so obvious is how to include the RA certificate into the Group Policy that applies to particular domain computers. (You can read more about the whole process here.)
Okay, so the Group Policy setting that effects EFS Data Recovery can be found here: Computer Configuration -> Windows Settings -> Public Key Policies -> Encrypting File System. Right-click on that “folder” and choose Create Data Recovery Agent. This uses the automatic enrollment methods to request an EFS Recovery Certificate, and then apply it to the Personal Certificate store on the local computer, as well as upload it into the definition of the Group Policy Object.
Easy peasy, eh? A couple of caveats.
The only place the private key is stored (the private key being the part of the PKI cert that is required to actually recover any data) is on the computer where you requested the certificate. So be sure to export the newly created EFS Recovery certificate (including the private key) to a safe and secure backup location so that you can perform data recovery from somewhere else.
Also, the RA certificate is useful only if the group policy is applied *before* you encrypt any files. It’s worth noting, too that this only applies to Active Directory member computers. The process for setting up an RA is quite different for standalone machines.
So, back to Barry’s files? Given the above, they are definitely toast. Unless he’s got an army of PlayStation 3 consoles he could use to brute-force decrypt the files.
We now return you to your regularly-scheduled, non-geeky programming.
