Results 1 to 7 of 7

Thread: Windows XP Pro: Using File Encryption guide

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    In Your Monitor

    Windows XP Pro: Using File Encryption guide

    Windows XP Pro: Using File Encryption guide

    very easy to figure out how to create back up and save the keys in case your computer crashes.

    check it out

    at a glance:

    Quote Originally Posted by Personal Backup
    Encrypted files are backed up in the normal way using the Windows Backup utility. The files remain encrypted as part of the backup media. However, the routine for backing up your personal encryption certificate is another matter.

    Begin by logging on to your user account. Then open either the Certificates snap-in for the Microsoft Management Console or Internet Explorer. If it’s the latter, select [Tools], [Internet Options] and click the [Content] tab.

    v Click [Certificates] to open the Certificates dialogue box.

    v On the Personal tab, select the certificate which describes itself as the Encrypting File System. There may be more than one certificate, so choose with care.

    v Click [Export] to launch the Export Wizard, and then click [Next].

    v Select Yes, Export The Private Key, and click [Next] twice.

    v Specify the password for the .pfx file. Click [Next]. Specify the path and filename for the exported file.

    v Click [Next], and click [Finish].

    Now that you’ve exported a backup of the personal certificate (and stored it in a safe place) you’re prepared for the following situations:

    · You lose your original key, or it becomes corrupt.

    · You wish to use your encrypted files on another computer.

    Either of these two procedures requires an import of the personal certificate. We’ll show you how to import your personal certificate later in the series.

    Agent Backup

    Should the worst happen and your personal encryption certificate becomes unavailable for any reason, the recovery agent certificate provides you with an alternative for accessing your encrypted files. Thus, backing up this certificate is just as important as backing up your personal encryption certificate.

    To backup the recovery agent certificate, log on to the same user account where you created the recovery agent and click [Start], [Run], and type secpol.msc to open the Local Security Settings console. Or go to Control Panel, Performance And Maintenance, Administrative Tools, and then Local Security Policy.

    v Go to Security Settings\Public Key Policies\Encrypting File System.

    v Right click the certificate issued for the purpose of File Recovery.

    v Then choose [All Tasks],[ Export To Launch The Certificate Export Wizard], and click [Next]. This opens the Export File Format page.

    v Select the DER Encoded Binary X.509 (.CER) format, and click [Next].

    v Specify the path and filename for the exported file. Click [Next], and then click [Finish].

    v Finally, remember to store all your certificate files in a secure place.
    Quote Originally Posted by Recovery agent
    To create a recovery agent you first need to create a data recovery certificate. Usually, the recovery agent is assigned to the Administrator account, although you can select a different user account or create a new one if you so wish.

    To generate a recovery certificate, log on as the Administrator (for example) and at a command prompt, type:

    cipher /r:filename

    Note that “filename” should be replaced with a name of your choice. Then, when prompted, type a password to create two files with the extensions .cer and .pfx.

    Be aware that the presence of these files allows anyone to become a recovery agent. So after creating the files, they should be moved to floppy, for example, and then safely stored elsewhere. We’ll show you how to do that later in the series.


    To create a recovery agent, remain logged on to the Administrator account.

    v Click Start, Run, and type certmgr.msc to open the Certificates console.

    v Go to Certificates – Current User\Personal, and choose Action, All Tasks, and Import to launch the Certificate Import Wizard.

    v Click Next, and the File To Import page appears.

    v Click Browse, and then select Personal Information Exchange in the Files Of Type box to see .pfx files.

    v Select the .pfx file you created earlier, click Open, and then click Next.

    v Enter the password you have already assigned to the certificate, and then select Mark This Key As Exportable.

    v Click Next.

    v Choose Automatically Select The Certificate Store Based On The Type Of Certificate.

    v Click Next, and then click Finish.

    Close the Certificates console, and click Start, Run and type secpol.msc. This opens the Local Security Settings console.

    v Go to Security Settings\Public Key Policies\Encrypting File System, and choose Action, Add Data Recovery Agent. Click Next.

    v Click Browse Folders and navigate to the .cer file you created earlier.

    v Select the file and click Open. Click Next.

    v The recovery agent is shown as USER_UNKNOWN. This is normal since the name isn’t stored in the file. Click Finish.

    That’s it. The current user account is assigned as the recovery agent for all encrypted files on the system. So if something should happen to your own user account, you will still have the ability to log on to this account and recover the encrypted files.
    post comments here,

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Watching Your every move...
    excellent find

  3. #3
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    In Your Monitor
    i've taken the plunge to encryption but i'm not sure if i like it.

    It is ok but people can see the file names and i don't feel like james bond at all.

    my boot xp cd does not decrpt the files.

    But i can create a new account and load the key and it decrypts so not sure if i did it right.

  4. #4
    Nobody knows I'm a dog. TZ Veteran petard's Avatar
    Join Date
    Feb 2003
    This is almost as good as your "Stars List". Thanks for the post.

    Many thanks to egghead for the cool .sig

  5. #5
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    San Diego, Ca.
    doesnt it make xp slower?

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    In Your Monitor
    xp loads the same for me

    but if you take the plunge i recommend backing up the key right away

    so when xp crashes or you change your password you can still decrypt the files.

    save the keys and encrypt them using e4m and you should be fine leaving them on the hard drive

    but do not put them in an encrytped folder


  7. #7
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    If you want to feel like James Bond you should use NTFS streams to hide your encrypted files, they are there but no-one can see them - woohoo! Bear in mind that whatever you choose there is always a way around it and that security and convenience are opposites. You need to find a solution that doesn't inconvenience you much but that would inconvenience an interloper beyond their time limit.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts