|
 |
Windows XP Pro: Using File Encryption – part 4 In his penultimate look at EFS, Dave Cook shows you how to tighten security still further by removing the recovery agent’s private key.
The reason for exporting the certificate is simple. By removing this key, you prevent someone else from accessing your encrypted files by logging on to the user account where the key is stored. Safe Removal To remove the recovery agent’s private key, first log on to the account where you created the recovery agent. v Then select [Start], [Run] and type certmgr.msc to launch the Certificates snap-in for the Microsoft Management Console. v Go to Certificates – Current User and open Personal, Certificates. v Right click the File Recovery certificate (as identified in the Intended Purposes column), and then select [All Tasks], [Export]. This launches the Certificate Export Wizard. Click [Next].
v
v Select Enable Strong Protection. Also select Delete The Private Key If The Export Is Successful. Click [Next]. v Enter a strong password (twice), and click [Next]. v Specify the path and filename for the exported file. Click [Next], and then click [Finish]. Note that the file should be copied to a floppy or other removable disk and stored in a secure location, just as you did with the other certificates. Finally, ensure the file is removed from the hard disk. With the certificate removed from the system, the recovery agent will no longer be able to view the encrypted files. Safe Recovery Assuming you followed our recommendations concerning all certificates, your encrypted files are now safe from prying eyes. Furthermore, you will be in a great position to recover the files should anything happen to them or to your user account – as long as you’ve backed up the files previously, of course. To re-establish the recovery agent’s right to access to your encrypted files, you need to import the recovery agent’s key back to the system. This is achieved using the same procedure as for importing a personal certificate – and we’ll show you how to do that next time, in our final look at the Encrypting File System. The series:
Guide: Windows XP Pro: Using File Encryption – part 1
|
With
the Encrypting File Service (EFS) up and running on your computer,
and having followed our advice with regard to certificate safety,
all that remains is to tie up one remaining security issue. Do you
remember the recovery agent we created in part two? Well, now it’s
time to remove the agent’s private key from the computer. 
Select
Yes, Export The Private Key, and click [Next].
