Private keys are kept in a protective key store. If users lose their file encryption certificates and private keys, they can be recovered by using the recovery agent. The recovery agent, which can decrypt their files, is part of the recovery policy that is implemented when a user receives the first file encryption certificate. When the recovery agent receives the data recovery certificate, it should export it, store it in a safe place, and then delete the data recovery certificate from the system hard disk. This way only the person who has physical access to the data recovery certificate can recover the data. If a user loses a private key and you need to carry out data recovery, the data recovery certificate can be obtained by the recovery agent from the storage location and imported back into the system.
Once the data recovery certificate is imported back into the system, the recovery agent can then use the data recovery certificate to perform the data recovery from the user's encrypted files. When you complete the data recovery, the data recovery certificate should be deleted immediately from the system for security reasons, so that there is no chance that someone can access it after you are finished using it. There is no reason to export the data recovery certificate back to the safe storage area, because it is still stored there and can be imported over and over again. If you attempt to use the encrypted file system (EFS) on a Windows NT NTFS partition, Windows 2000 automatically upgrades the partition to Windows 2000 NTFS format so that you can encrypt the data.
Compression and encryption are not compatible. If you specify both attributes for a file, encryption will override compression. This will only happen if you are using the cipher /? command line prompt. The Windows 2000 GUI interface simply toggles between encryption and compression.
Was this article helpful?