How To Access EFS-encrypted Files On Other Locations


The backup plan contains EFS-encrypted files and the Keep EFS encryption option is selected.

This means that EFS-encrypted files are backed up and kept on backup storage encrypted. The main purpose of any backup is a guaranteed possibility to restore data in case of need: hardware failure or whatever else. In most cases the restore does not require any special actions, but the situation with EFS-encrypted files backed up 'as is' is a bit different: it is tightly bound with the EFS-encryption specification that covers the decryption with the security layer.

Thus, if you keep your EFS-encrypted files backed up 'as is' (encrypted), make some preparations to protect yourself from unpleasant moments that may occur when trying to read restored EFS-encrypted files on a location other than the original computer (the one these EFS-encrypted files were backed up).

Determine the way that suits you best and follow the instructions stated below:

Back Up EFS Certificate

To back up an EFS certificate, open the MMC console and add the Certificates snap-in. From here it is possible to browse certificates associated with a user or computer. In this case, the personal store is browsed.

  1. Right-click on the certificate to back up, then select All Tasks > Export.

  1. Certificate Export Wizard appears. Click Next.
  2. Select Yes, export the private key option.

  1. Select the format to export in. When exporting the private key, the .PFX format is generally a standard in Windows. If the certificate would be the only thing exported, you could export it in a .CER format instead.

  1. As the private key must remain secure, create a password for the file.

  1. Select the location and name for the exported file.

  1. Check your settings, then click Finish to complete the process.

Once the procedure is completed, a pop-up notification appears. The created .pfx file contains the exported certificate and the private key in the location specified.

You can also back up a certificate with PowerShell using the Export-Certificate cmdlet

| Top |

Key Archival of EFS Recovery Certificate

Follow these steps:

Step 1. Add Key Recovery Agent Certificate Template

Add the Key Recovery Agent certificate template to the list of available certificate templates.

  1. Log in to the Certification Authority computer with administrative rights.
  2. In the Windows Administrative Tools, click Certification Authority. 3.On Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.

  1. Select the Key Recovery Agent in the list of certificate templates.

  1. Click OK to enable this certificate
  2. A Key Recovery Agent certificate template appears in the list of Certificate Templates

Now you are ready to request a personal administrator certificate using this Key Recovery Agent certificate template.

| Back to the step list |

Step 2. Request Personal Administrator Certificate

To request a personal administrator certificate using the Key Recovery Agent template published above, proceed as follows:

  1. Open the MMC console and add or select the Certificates snap-in.
  2. Right-click the Certificates folder under personal store, and select All Tasks > Request New Certificate.

  1. In the Certificate Enrollment dialog, select Key Recovery Agent in the list of available certificates, then click Enroll.

  1. In Certification Authority click the Pending Requests folder.
  2. Right-click your pending request, then select All Tasks > Issue to issue a certificate requested above. Save the Request ID copy of the certificate to file.

  1. The certificate appears in the Issued Certificates folder. Right-click the certificate and select Open.

  1. Select Thumbprint and click Copy to file.

  1. Export certificate to file, for example, to archive-admin.cer with Certificate Export Wizard. On the Export file format step, select DER encoded binary X.509 (.CER).

  1. In Certification Authority snap-in, add and configure the Recovery Agent. Right-click the domain, then select Properties.

  1. Click Recovery Agents tab.
  2. Select the Archive the Key option. Click Add.

  1. Select the certificate you issued and verify the thumbprint of this certificate matches the thumbprint saved to the file above. Click OK.

  1. Restart Active Directory Certificate Services for changes to take effect.

  1. In Properties, click Recovery Agents to check if the certificate is in a valid status. Click Cancel.

  1. Add a new EFS template based on the Basic EFS template. On Certification Authority right-click Certificate Templates and select Manage.

  1. Right-click the Basic EFS template and select Duplicate Template.

  1. Configure the new template properties:
    • Name the template on the General tab

* On the Request Handling tab, select **Archive subjects's encryption private key**
* On the Cryptography tab, set the minimum key size

* On the Security tab, grant the Read permission to the Key Recovery Agent account

  1. Click Apply.
  2. Publish the created certificate template. On Certification Authority, right-click Certificate Templates and select New > Certificate Template to Issue.

  1. Select your template by name and click OK to enable it.

Now you are ready to add this Key Recovery Agent to Group Policy.

| Back to the step list |

Step 3. Add a Key Recovery Agent Certificate Using Group Policy

  1. Open Group Policy Management snap-in
  2. Right click Default Domain Policy and select Link Enabled

  1. To edit Default Domain policy, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right click Encrypting File System and select Properties

  1. On the General tab for File Encryption System (EFS), select Allow.
  2. On the Certificates tab, select your template for EFS template for automatic certificate requests and clear the Allow EFS to generate self-signed certificates when a certification authority is not available check box.

  1. Click Apply.

Now you are ready to update group policies on the computers where you want to back up EFS files.

| Back to the step list |

Step 4. Force Update Group Policies

  • Login to original client computer, do the gpupdate /force

Now the created Group policy is used on this computer. You are ready to check if key archival can work properly.

| Top |

Step 5. Use Key Archival

  1. Log into original computer as standard user that does not have an EFS certificate.

  1. Create and encrypt a file.

  1. Make sure that the new user has access to the encrypted file.

  1. And the same certificate appears in the user personal store.

  1. Log into the Certificate Authority computer.
  2. In Certification Authority snap-in, click View > Add/Remove Columns....

  1. Add the Archived Key column, and move it to the top of the list. Click OK.

  1. Note that a standard user certificate was automatically issued and archived.

  1. Install previously exported Recovery Agent certificate c:\archive-admin.cer to the personal store of administrator on Certification Authority computer.

  1. Locate issued and archived ordinal user EFS certificate in Certification Authority and copy the serial number to the clipboard.

  1. Run PowerShell as Administrator.

  1. Execute the following commands in the PowerShell window, on the last step specify the recovered pfx password.
 cd /

mkdir keyrecoverdir

cd .\keyrecoverdir\

certutil -getkey 170000001b7f4141464204e1b500000000001b rawkeyinfo

certutil -recoverkey .\rawkeyinfo recovered.pfx

  1. Now the standard user .pfx certificate is recovered.

  1. Log into original client computer where you created the EFS- encrypted file.
  2. Delete the EFS keys /certificate.
  3. Place the recovered.pfx to file system.
  4. Install the recovered.pfx to the ordinal user personal certificate store.
  5. Log in again to the original client computer to uncache certificate thumbprint.
  6. Try to open your EFS-encrypted file to make sure everything is fine.

| Top |