Backing up and recovering encrypted data
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Backing up and recovering encrypted data
The main administrative tasks associated with the Encrypting File System (EFS) are backing up and restoring encrypted files, configuring a recovery policy, and recovering encrypted data.
Backing up and restoring encrypted files
Backup copies of encrypted files will also be encrypted, provided you use a backup program designed for Windows XP.
When restoring encrypted data, the data will remain encrypted after the restore operation.
Recovering encrypted data
Data recovery refers to the process of decrypting a file without having the private key of the user who encrypted the file.
You might need to recover data with a recovery agent if:
A user leaves the company.
A user loses the private key.
A law enforcement agency makes a request.
To recover a file, the recovery agent:
Backs up the encrypted files.
Moves the backup copies to a secure system.
Imports their recovery certificate and private key on that system.
Restores the backup files.
Decrypts the files, using Windows Explorer or the EFS cipher command.
Configuring a recovery policy
You can use the Group Policy snap-in to define a data recovery policy for domain member servers or for stand-alone or workgroup servers. You can either request a recovery certificate, or export and import your recovery certificates.
You may want to delegate administration of the recovery policy to a designated administrator. Although you should limit who is authorized to recover encrypted data, allowing multiple administrators to act as recovery agents provides you with an alternate source if recovery is necessary.