Windows XP Pro: Using File Encryption guide
very easy to figure out how to create back up and save the keys in case your computer crashes.
check it out
at a glance:
Originally Posted by Personal BackupEncrypted files are backed up in the normal way using the Windows Backup utility. The files remain encrypted as part of the backup media. However, the routine for backing up your personal encryption certificate is another matter.
Begin by logging on to your user account. Then open either the Certificates snap-in for the Microsoft Management Console or Internet Explorer. If it’s the latter, select [Tools], [Internet Options] and click the [Content] tab.
v Click [Certificates] to open the Certificates dialogue box.
v On the Personal tab, select the certificate which describes itself as the Encrypting File System. There may be more than one certificate, so choose with care.
v Click [Export] to launch the Export Wizard, and then click [Next].
v Select Yes, Export The Private Key, and click [Next] twice.
v Specify the password for the .pfx file. Click [Next]. Specify the path and filename for the exported file.
v Click [Next], and click [Finish].
Now that you’ve exported a backup of the personal certificate (and stored it in a safe place) you’re prepared for the following situations:
· You lose your original key, or it becomes corrupt.
· You wish to use your encrypted files on another computer.
Either of these two procedures requires an import of the personal certificate. We’ll show you how to import your personal certificate later in the series.
Should the worst happen and your personal encryption certificate becomes unavailable for any reason, the recovery agent certificate provides you with an alternative for accessing your encrypted files. Thus, backing up this certificate is just as important as backing up your personal encryption certificate.
To backup the recovery agent certificate, log on to the same user account where you created the recovery agent and click [Start], [Run], and type secpol.msc to open the Local Security Settings console. Or go to Control Panel, Performance And Maintenance, Administrative Tools, and then Local Security Policy.
v Go to Security Settings\Public Key Policies\Encrypting File System.
v Right click the certificate issued for the purpose of File Recovery.
v Then choose [All Tasks],[ Export To Launch The Certificate Export Wizard], and click [Next]. This opens the Export File Format page.
v Select the DER Encoded Binary X.509 (.CER) format, and click [Next].
v Specify the path and filename for the exported file. Click [Next], and then click [Finish].
v Finally, remember to store all your certificate files in a secure place.post comments here,Originally Posted by Recovery agentTo create a recovery agent you first need to create a data recovery certificate. Usually, the recovery agent is assigned to the Administrator account, although you can select a different user account or create a new one if you so wish.
To generate a recovery certificate, log on as the Administrator (for example) and at a command prompt, type:
Note that “filename” should be replaced with a name of your choice. Then, when prompted, type a password to create two files with the extensions .cer and .pfx.
Be aware that the presence of these files allows anyone to become a recovery agent. So after creating the files, they should be moved to floppy, for example, and then safely stored elsewhere. We’ll show you how to do that later in the series.
To create a recovery agent, remain logged on to the Administrator account.
v Click Start, Run, and type certmgr.msc to open the Certificates console.
v Go to Certificates – Current User\Personal, and choose Action, All Tasks, and Import to launch the Certificate Import Wizard.
v Click Next, and the File To Import page appears.
v Click Browse, and then select Personal Information Exchange in the Files Of Type box to see .pfx files.
v Select the .pfx file you created earlier, click Open, and then click Next.
v Enter the password you have already assigned to the certificate, and then select Mark This Key As Exportable.
v Click Next.
v Choose Automatically Select The Certificate Store Based On The Type Of Certificate.
v Click Next, and then click Finish.
Close the Certificates console, and click Start, Run and type secpol.msc. This opens the Local Security Settings console.
v Go to Security Settings\Public Key Policies\Encrypting File System, and choose Action, Add Data Recovery Agent. Click Next.
v Click Browse Folders and navigate to the .cer file you created earlier.
v Select the file and click Open. Click Next.
v The recovery agent is shown as USER_UNKNOWN. This is normal since the name isn’t stored in the file. Click Finish.
That’s it. The current user account is assigned as the recovery agent for all encrypted files on the system. So if something should happen to your own user account, you will still have the ability to log on to this account and recover the encrypted files.