To use the Encrypting File System in W2K:
- Right-click the folder or file you want to encrypt
- Choose Properties
- Click Advanced in the Attributes section of the General tab
- Select the option Encrypt Contents To Secure Data in the Advanced Attributes dialog box
- Click OK and close the Properties sheet.
The cleanest method for recovering encrypted files in a domain environment is to use the Backup utility. This is a very safe method. It can be made more secure by requiring the DRA to authenicate via a smart card. The steps involved in performing a recovery:
- Log on as Administrator to the machine with the encrypted files.
- Run Backup and back up the encrypted files and/or folders that you want to recover.
- Log off and then log on to the secured machine that contains the DRA's private key using the account with the DRA for the logon.
- Restore the files/folders from the backup.
- Decrypt the files/folders you just restored.
Another method to recover encrypted files is to export the DRA's private key and use it on a computer with encrypted data. This method is a bit faster than using Backup but it's not as secure because you have to import the private key to a destination machine.
- Log on to the machine containing the DRA's private key.
- Open an empty MMC and load the Certificates snap-in.
- To export the agent's private key, right-click on the certificate, select Export, and indicate that you want to export the private key.
- Copy the file with the private key to the machine that has the encrypted files.
- On the destination machine, use the Certificates snap-in to import the DRA's private key file.
- Decrypt the files.
- Once you are sure the operation was successful, make sure you don't leave the imported private key on the machine. Doing so could compromise EFS security.
Elcomsoft has created Advanced EFS Data Recovery to decrypt files encrypted on NTFS partitions in Windows 2000. Files can be decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys have been tampered. Besides,they say decryption is possible even when Windows is protected using SYSKEY.