With the introduction of Windows Server 2003 PKI, EFS now allows two methods to recover an EFS-encrypted file when a user no longer has access to his or her EFS-encryption private key:
Data recovery. An EFS Recovery Agent disables EFS encryption. Once the file is decrypted, the user can open the plaintext file and then re-encrypt the file using a newly issued certificate with the Encrypting File System OID.
Key recovery. The user's original certificate and private key are recovered from the CA database and restored to the user's profile. Recovery of the user's certificate and private key allows the user to access the FEK stored in the DDF of the EFS-encrypted file, returning access to the file to the user.
The following sections discuss some of the design decisions an organization faces when choosing between data recovery and key recovery, or a mix of both.
Was this article helpful?