Back up the recovery agent Encrypting File System (EFS) private key in Windows

This article describes how to back up the recovery agent Encrypting File System (EFS) private key on a computer.

Original product version: В Windows 7 Service Pack 1, Windows Server 2012 R2
Original KB number: В 241201

Summary

Use the recovery agent’s private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost. This article contains information about how to use the Certificate Export Wizard to export the recover agent’s private key from a computer that is a member of a workgroup, and from a Windows Server 2003-based, Windows 2000-based, Windows Server 2008-based or Windows Server 2008 R2-based domain controller.

Introduction

This article describes how to back up the recovery agent Encrypting File System (EFS) private key in Windows Server 2003, in Windows 2000, in Windows XP, in Windows Vista, in Windows 7, in Windows Server 2008, and in Windows Server 2008 R2. You can use the recovery agent’s private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost.

You can use EFS to encrypt data files to prevent unauthorized access. EFS uses an encryption key that is dynamically generated to encrypt the file. The File Encryption Key (FEK) is encrypted with the EFS public key and is added to the file as an EFS attribute that is named Data Decryption Field (DDF). To decrypt the FEK, you must have the corresponding EFS private key from the public-private key pair. After you decrypt the FEK, you can use the FEK to decrypt the file.

If your EFS private key is lost, you can use a recovery agent to recover encrypted files. Every time that a file is encrypted, the FEK is also encrypted with the Recovery Agent’s public key. The encrypted FEK is attached to the file with the copy that is encrypted with your EFS public key in the Data Recovery Field (DRF). If you use the recovery agent’s private key, you can decrypt the FEK, and then decrypt the file.

By default, if a computer that is running Microsoft Windows 2000 Professional is a member of a workgroup or is a member of a Microsoft Windows NT 4.0 domain, the local administrator who first logs on to the computer is designated as the default recovery agent. By default, if a computer that is running Windows XP or Windows 2000 is a member of a Windows Server 2003 domain or a Windows 2000 domain, the built-in Administrator account on the first domain controller in the domain is designated as the default recovery agent.

A computer that is running Windows XP and that is a member of a workgroup does not have a default recovery agent. You have to manually create a local recovery agent.

After you export the private key to a floppy disk or other removable media , store the floppy disk or media in a secure location. If someone gains access to your EFS private key, that person can gain access to your encrypted data.

Export the recovery agent’s private key from a computer that is a member of a workgroup

To export the recovery agent’s private key from a computer that is a member of a workgroup, follow these steps:

Log on to the computer by using the recovery agent’s local user account.

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in. Then click Add in Windows Server 2003, in Windows XP or in Windows 2000. Or click OK in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2.

Under Available Standalone Snap-ins, click Certificates, and then click Add.

Click My user account, and then click Finish.

Click Close, and then click OK in Windows Server 2003, in Windows XP or in Windows 2000. Or click OK in Windows Vista, in Windows 7, in Windows Server 2008 or in Windows Server 2008 R2.

Double-click Certificates — Current User, double-click Personal, and then double-click Certificates.

Locate the certificate that displays the words «File Recovery» (without the quotation marks) in the Intended Purposes column.

Right-click the certificate that you located in step 8, point to All Tasks, and then click Export. The Certificate Export Wizard starts.

Click Next.

Click Yes, export the private key, and then click Next.

Click Personal Information Exchange — PKCS #12 (.PFX).

We strongly recommend that you also click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the computer and you will not be able to decrypt any encrypted files.

Click Next.

Specify a password, and then click Next.

Specify a file name and location where you want to export the certificate and the private key, and then click Next.

We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Export the domain recovery agent’s private key

The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent.

To locate the Encrypted Data Recovery policy, open the Default Domain Policy in the Group Policy Object Editor snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.

To export the domain recovery agent’s private key, follow these steps:

Locate the first domain controller that was promoted in the domain.

Log on to the domain controller by using the built-in Administrator account.

Click Start, click Run, type mmc, and then click OK.

On the File menu, click Add/Remove Snap-in. Then click Add in Windows Server 2003 or in Windows 2000. Or click OK in Windows Server 2008 or in Windows Server 2008 R2.

Under Available Standalone Snap-ins, click Certificates, and then click Add.

Click My user account, and then click Finish.

Click Close, and then click OK in Windows Server 2003 or in Windows 2000. Or click OK in Windows Server 2008 or in Windows Server 2008 R2.

Double-click Certificates — Current User, double-click Personal, and then double-click Certificates.

Locate the certificate that displays the words «File Recovery» (without the quotation marks) in the Intended Purposes column.

Right-click the certificate that you located in step 9, point to All Tasks, and then click Export. The Certificate Export Wizard starts.

Click Next.

Click Yes, export the private key, and then click Next.

Click Personal Information Exchange — PKCS #12 (.PFX).

We strongly recommend that you click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from unauthorized access.

If you click to select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent’s private key only in situations when you need it to recover files. At all other times, export, and then store the recovery agent’s private key offline to help maintain its security.

Click Next.

Specify a password, and then click Next.

Specify a file name and location where you want to export the certificate and the private key, and then click Next.

We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.

Verify the settings that are displayed on the Completing the Certificate Export Wizard page, and then click Finish.

Assign a private key to a new certificate after deleting the original certificate in IIS

This article describes how to recover a private key after you use the Certificates Microsoft Management Console (MMC) snap-in to delete the original certificate in Internet Information Services (IIS).

Original product version: В Internet Information Services
Original KB number: В 889651

Summary

You delete the original certificate from the personal folder in the local computer’s certificate store. This article assumes that you have the matching certificate file backed up as a PKCS#7 file, a .cer file, or a .crt file. When you delete a certificate on a computer that’s running IIS, the private key isn’t deleted.

Assign the existing private key to a new certificate

To assign the existing private key to a new certificate, you must use the Windows Server version of Certutil.exe. To do it, follow these steps:

Sign in to the computer that issued the certificate request by using an account that has administrative permissions.

Select Start, select Run, type mmc, and then select OK.

On the File menu, select Add/Remove Snap-in.

In the Add/Remove Snap-in dialog box, select Add.

Select Certificates, and then select Add.

In the Certificates snap-in dialog box, select Computer account, and then select Next.

In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then select Finish.

Select Close, and then select OK.

In the Certificates snap-in, expand Certificates, right-click the Personal folder, point to All Tasks, and then select Import.

On the Welcome to the Certificate Import Wizard page, select Next.

On the File to Import page, select Browse.

In the Open dialog box, select the new certificate, select Open, and then select Next.

On the Certificate Store page, select Place all certificates in the following store, and then select Browse.

In the Select Certificate Store dialog box, select Personal, select OK, select Next, and then select Finish.

In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.

In the Certificate dialog box, select the Details tab.

Select Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.

Select Start, select Run, type cmd, and then select OK.

At the command prompt, type the following command:

SerialNumber is the serial number that you wrote down in step 17.

In the Certificates snap-in, right-click Certificates, and then select Refresh.

The certificate now has an associated private key.

You can now use the IIS MMC to assign the recovered keyset (certificate) to the web site that you want.

Экспорт части сертификата аутентификации сервера с закрытым ключом Export the Private Key Portion of a Server Authentication Certificate

Каждый сервер федерации в ферме службы федерации Active Directory (AD FS) ( AD FS ) должен иметь доступ к закрытому ключу сертификата проверки подлинности сервера. Every federation server in an Active Directory Federation Services (AD FS) farm must have access to the private key of the server authentication certificate. При реализации фермы серверов или веб-серверов федерации необходимо иметь один сертификат проверки подлинности. If you are implementing a server farm of federation servers or Web servers, you must have a single authentication certificate. Этот сертификат должен быть выдан ЦС центра сертификации предприятия ( ) и должен иметь экспортируемый закрытый ключ. This certificate must be issued by an enterprise certification authority (CA), and it must have an exportable private key. Закрытый ключ сертификата аутентификации сервера должен быть экспортируемым, чтобы его можно было предоставить всем серверам на ферме. The private key of the server authentication certificate must be exportable so that it can be made available to all the servers in the farm.

Эта же концепция относится к фермам прокси-серверов федерации в том смысле, что все прокси сервера федерации в ферме должны совместно использовать частную часть одного сертификата проверки подлинности сервера. This same concept is true of federation server proxy farms in the sense that all federation server proxies in a farm must share the private key portion of the same server authentication certificate.

Оснастка управления AD FS — в относится к сертификатам проверки подлинности сервера для серверов федерации в качестве сертификатов связи служб. The AD FS Management snap-in refers to server authentication certificates for federation servers as service communication certificates.

В зависимости от роли, которую будет воспроизводить этот компьютер, используйте эту процедуру на компьютере сервера федерации или прокси-сервера федерации, где установлен сертификат проверки подлинности сервера с закрытым ключом. Depending on which role this computer will play, use this procedure on the federation server computer or federation server proxy computer where you installed the server authentication certificate with the private key. По окончании процедуры можно импортировать этот сертификат на веб-сайт по умолчанию каждого сервера на ферме. When you finish the procedure, you can then import this certificate on the Default Web Site of each server in the farm. Дополнительные сведения см. в разделе Импорт сертификата проверки подлинности сервера на веб-сайт по умолчанию. For more information, see Import a Server Authentication Certificate to the Default Web Site.

Для выполнения этой процедуры требуется членство в группе Администраторы или в эквивалентной группе на локальном компьютере. Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Просмотрите сведения об использовании соответствующих учетных записей и членстве в группах в локальной среде и группах домена по умолчанию. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups.

Экспорт части сертификата аутентификации сервера с закрытым ключом To export the private key portion of a server authentication certificate

На начальном экране введите службы IIS ( ) Диспетчер IIS и нажмите клавишу ВВОД. On the Start screen, type Internet Information Services (IIS) Manager, and then press ENTER.

В дереве консоли щелкните ComputerName. In the console tree, click ComputerName.

В центральной области дважды — щелкните Сертификаты сервера. In the center pane, double-click Server Certificates.

В центральной области щелкните правой кнопкой мыши — сертификат, который необходимо экспортировать, и выберите пункт Экспорт. In the center pane, right-click the certificate that you want to export, and then click Export.

В диалоговом окне Экспорт сертификатов нажмите кнопку … In the Export Certificate dialog box, click the … . button.

В окне имя файла введите C: \намеофцертификате, а затем нажмите кнопку Открыть. In File name, type C:\NameofCertificate, and then click Open.

Введите пароль для сертификата, подтвердите его и нажмите кнопку ОК. Type a password for the certificate, confirm it, and then click OK.

Проверьте, успешно ли выполнен экспорт, убедившись, что заданный файл создан в заданном расположении. Validate the success of your export by confirming that the file you specified is created at the specified location.

Для того чтобы этот сертификат можно было импортировать в локальное хранилище сертификатов на новом сервере, необходимо переместить файл на физический носитель и обеспечить его безопасность во время переноса на новый сервер. So that this certificate can be imported to the local certificate store on the new server, you must transfer the file to physical media and protect its security during transport to the new server. Очень важно обеспечить безопасность закрытого ключа. It is extremely important to guard the security of the private key. Если этот ключ скомпрометирован, безопасность всего развертывания AD FS, ( включая ресурсы в Организации и организации партнера по ресурсам, ) скомпрометирована. If this key is compromised, the security of your entire AD FS deployment (including resources within your organization and in resource partner organizations) is compromised.