In Windows 2003, XP, and Win2K, EFS doesn't warn or inform a user about the
importance of EFS privatekey backup to a storage medium (e.g., a USB token)
that's different from the hard disk that holds the OS—a big concern in
standalone Windows 2003 and XP environments. In domain environments that use
an integrated Windows 2003 public key infrastructure (PKI), users' EFS private
keys can be automatically archived each time a user enrolls for an EFS certificate.
This functionality is possible because of the integrated key-archive and -recovery
service that's bundled with the Windows 2003 Certification Authority (CA). This
concern is also less of a problem in Win2K, in which EFS always has a data-recovery
account defined and in fact doesn't work at all if no data-recovery account
is defined.
On standalone Vista and Longhorn Server systems, the OS automatically prompts
the user to back up his or her EFS private key. Figure
1 shows the warning balloon that pops up from the system tray the first
time a user uses EFS to encrypt data and each time a user gets a new EFS private
key. When the user clicks this balloon, the dialog box that Figure
2, shows appears, and the user can choose to back up the key, receive a
reminder at the next logon, or not back up the private key. If the user chooses
to create a backup of the key, the OS starts the Certificate Export Wizard,
from which the user can easily back up the private key to a secure password-protected
and PKCS #12-formatted file. This file preferably resides on a removable storage
medium other than the system's hard disk.
The user can also start the keybackup wizard manually at any time from the
Control Panel User Accounts applet by using the Manage your file encryption
certificates option and selecting Back up the certificate and key now.
The wizard, which provides a straightforward path through the key-backup process,
also links to a Help file that contains recommendations for copying a user's
EFS private key in a safe place.
You can still back up your EFS private key from the Microsoft Management Console
(MMC) Certificates snap-in—as you might in XP and earlier. To do so, simply
open your EFS certificate from the snap-in and select Copy to File on
the certificate viewer's Details tab. Doing so starts the Certificate Export
Wizard. This time, make sure to select the wizard's Yes, export the private
key option.
Remember not to confuse the EFS key backup and associated recovery mechanism
that I've just described with the built-in EFS data-recovery feature. EFS data
recovery is always enabled in Win2K EFS and is optional in Vista, Windows 2003,
and XP EFS. EFS data recovery is based on the existence of an EFS recovery certificate
and private key belonging to an administrative account. It allows access to
encrypted data by the recovery account if a user loses his or her EFS private
key or its backup. As such, EFS data recovery also protects against encrypted
data loss.
To create a recovery certificate and private key on a standalone machine, a
user with administrative privileges must run Cipher.exe as follows:
cipher /r:<filename>
This command creates the recovery certificate and private key; you must then
save the resulting file to a USB token or other removable storage medium. To
update the already encrypted files with the new recovery information, administrators
can run the command
cipher /u
To create an EFS recovery certificate for domain-joined machines, you would
typically enroll for a recovery certificate on an AD-integrated enterprise CA,
then use the EFS GPO settings to distribute the recovery information to the
domain-joined machines. For more information about doing so, see "Preventing
Data Loss When Using EFS."
Easy Re-Keying
Another key-related EFS enhancement in Vista and Longhorn Server is the EFS
Re-key Wizard. This wizard lets a Windows user utilize a new EFS private key
to re-encrypt his or her EFS FEK. EFS doesn't automatically re-encrypt the FEK
when a user gets a new EFS private key; instead, it keeps a copy of the old
private key in the user's private key store (which is part of the user profile)
to make sure the user maintains access to previously encrypted data.
EFS re-keying is a valuable option when users switch to a new EFS private key
because it removes a user's dependency on the old keys. With rekeying, you no
longer need to back up the old EFS private key and keep a copy of it to maintain
access to previously encrypted data. This is true only for the EFS-protected
data stored on logical drives attached to a user's local machine. You can't
use the re-key wizard to re-key EFS-protected files stored on a backup medium.
In other words, if in this scenario you don't want to keep your old EFS keys,
you must also make sure that you back up your EFS-protected files after each
rekey operation.
The EFS Re-key Wizard is especially useful when users switch from a hard disk-based
EFS private key to a smart card-based EFS private key. (I'll discuss smartcard
support in more detail later.) With the wizard, users can gain complete independence
from hard disk?based EFS private key storage: A smart card-based EFS private
key can secure all EFS data, old and new. In organizations in which information
security is crucial, EFS users might also need to use the EFS Re-key Wizard
to regularly change their EFS private key. Changing keys more frequently reduces
the chances of a successful attack. The wizard can also be useful for users
who have used different keys to encrypt information on different computers,
and who want to align the EFS keys between the different systems.
You can start the EFS Re-key Wizard, which Figure
3 shows, from the Control Panel User Accounts applet. Choose the Manage
your file encryption certificates option, then select Create a new certificate.
On the wizard's Update your previously encrypted files screen, you can
select the encrypted data that you want to update with the new key material.
Prev. page
1
[2]
3
next page 
