Encryption problems Depending upon the community that your network serves and the information contained on that network, you might be required by law to encrypt that data. Users have many responsibilities and low on their list of priorities is managing security for the network. If you have a small business network or just a few Windows computers at home and run your computers in a workgroup environment, you can still use EFS (Windows Encryption File System). If you aren’t running EFS on your home or workgroup, I strongly advise you to do so, but you need to plan for failure. Encryption is great at securing information, but it’s useless if you can’t read that information due to a lost or damaged EFS key. If you’ve enabled EFS, but forgot to backup your keys, here’s how the solution to that problem: Creating a local recovery agent In a non-domain environment, such as on a standalone computer or in a workgroup, you must first create a local recovery agent if the computer is shared by multiple users. If your computers have only a single user account on them, you can jump ahead to key recovery, but I still advise on creating a local recovery agent because you never know when you might add a user to that machine. To create the recovery agent, first logon to the computer with an account that has administrator credentials, then: 1. Click Start | Run and type mmc and click OK 2. On the File menu, click Add/Remove Snap-in and click Add 3. Under Add Standalone Snap-in, click Group Policy Object Editor | Add 4. Under Group Policy Object, make sure that Local Computer is displayed, and then click Finish 5. Click Close | OK 6. In Local Computer Policy, navigate to the Local\Computer Policy\Computer Configuration\Windows Settings\Security Settings\Public Key Policies folder 7. Right-click Encrypting File System and click Add Data Recovery Agent or Create Data Recovery Agent Note: The Wizard prompts you for a user name for a recovery agent. You can supply the wizard with the name of a user with a published file recovery certificate, or you can browse for file recovery certificates (.cer files) that contain information about the recovery agent you want to add. File recovery certificates can be obtained from Certification Authorities. To identify a file recovery certificate, in the Certificates snap-in, in the details pane, in the Enhanced Key Usage field, look for the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). File recovery certificates are stored as .cer files in the local computer file system or in Active Directory. When you add a recovery agent from a file, the user is identified as USER_UNKNOWN because the user name is not stored in the file. 8. Follow the instructions in the wizard to complete the process. Key recovery Once you have EFS running and a key recovery agent specified, you can backup the private keys: 1. Log on to the computer by using the recovery agent’s local user account 2. Click Start | Run, type mmc, and click OK 3. On the File menu, click Add/Remove Snap-in and click Add. 4. Under Available Standalone Snap-ins, click Certificates then click Add 5. Click My user account then click Finish 6. Click Close | OK 7. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates 8. Locate the certificate that displays the words "File Recovery" (without the quotation marks) in the Intended Purposes column 9. Right-click that certificate, point to All Tasks then click Export. The Certificate Export Wizard will start 10. Click Next 11. Click Yes, export the private key then click Next 12. Click Personal Information Exchange – PKCS #12 (.PFX) 13. Select the Enable strong protection Note: DO NOT select Delete the private key if the export is successful check box, the private key will be removed from the computer and you will not be able to decrypt any encrypted files. 14. Click Next 15. Specify a password then click Next 16. Specify a file name and location where you want to export the certificate and the private key then click Next Note: I recommend that you back up the file to a removable media device (USB or CDROM/DVD store that backup in a physically secure location. 17. Verify the settings that are displayed on the Completing the Certificate Export Wizard page then click Finish Final thoughts Encryption is an easy painless method to adding a layer of security for your data. Regardless of whether it’s a home computer, it’s still your personal and private information and you need to take steps that will keep that information private and secure.