Hands on: Tales from the crypt

You should be able to click through the console tree to see your certificate under Certificates, Personal, username.

It will be issued to your user name by your user name and have ‘Encrypting File System’ as its Intended Purpose. Right-click on it, and choose All Tasks, Export.

This will start the Export Wizard. Select the option to Export the Private Key with the certificate.

At the next screen choose Personal Information Exchange and tick ‘Enable strong protection’. The next screen will prompt you to create and confirm a password.

The following screen will prompt you for a filename. With a floppy in the drive, browse to that drive and give a name for the file. This will produce a Personal Information Exchange (Pfx) file on the floppy. Remove the floppy, store it in a safe place and commit the password to memory. Should your private key be damaged or deleted and you are unable to open your encrypted files, retrieve the floppy, double-click on the Pfx file and follow the import wizard, supplying the password when asked.

Secret agents
There’s a flaw to this strategy. If the user account is damaged or deleted, the certificate will be of no use. Any file encrypted by that user on any NTFS partition will be forever encrypted. The secret is to appoint a trusted third party who holds a certificate confirming them as a Recovery Agent. It’s like giving a trusted neighbour your house keys.

On a standalone or workgrouped PC, this should normally be the hidden administrator account, to which you log in (if you use the Welcome Screen press Control & Alt & Del twice) with the username Administrator and the case-sensitive password that was created when you installed Windows. This account has the same privileges as any other account with administrator status but it is kept out of sight and used solely for administration.

If the administrator password is not known then another user with administ rator status can reset it. In the Start, Run box, type control userpasswords2 to change any account password by selecting the account and pressing the Reset Password button. All user accounts with administrator status need protecting with a strong password.

Having logged in to the (rather than an) Administrator account, you need to create a data recovery certificate for the Administrator. Open a command window and type cipher /r:filename – replacing filename with your own choice of name. You’ll be prompted to specify and confirm a password. This will create in the current directory (by default the top level of the Administrator profile) two files, filename.cer and filename.pfx.

Open the Group Policy Editor (Start, Run Gpedit.msc). Navigate down through Computer Configuration, Windows Settings, Security Settings, Public Key Policies.

You should see Encrypting File System in the right-hand pane. Right-click this and ‘Add data recovery agent…’ This launches a wizard, which will prompt you to browse folders for a certificate – again this should open by default in your profile, where you can select the .cer file. Your certificate will be added with ‘USER_UNKNOWN’ as the user (which is normal), and you can finish the wizard.

Backing up the Recovery Agent’s private key is very similar to backing up a user’s. While still logged in as Administrator, run certmgr.msc (or add the Certificates snap-in as before) and look under Personal, Certificates for the certificate whose Intended Purpose is File Recovery – right-click, All tasks, Export and follow the wizard.

Again, enable strong protection and export to a floppy or other removable storage that can be securely stored. ‘Delete on successful export’ gives further security but you’ll have to reimport the key from the floppy to recover data. Before you log off, delete the .cer and .pfx files you created with the cipher command.