Recovering a File or Folder

The process for recovering an encrypted file or folder when users have lost their private keys includes the following:

  1. The user can use a secure protocol, such as Secure/Multipurpose Internet Mail Extensions (S/MIME) encrypted mail, to send the file or folder to the recovery administrator. Or the user can use Windows 2000 Backup to back up the encrypted file and send the backup file as a regular e-mail attachment.

  2. The recovery administrator decrypts the file or folder by running cipher from the command line. (To use this, the recovery agent certificate and private key must be installed on the recovery computer and the administrator must be logged on as the recovery agent account.)

  3. The administrator makes a backup of the plaintext file and sends it back to the user with a secure protocol, such as S/MIME encrypted mail.

If the administrator has followed the procedure described earlier under "Securing the Recovery Key," the recovery agent account's certificate and public key are offline and securely stored in a .pfx file. To use the certificate on a recovery computer, you must import the certificate into the personal certificate store for the designated recovery account. For more information about importing certificates, see Certificates Help.

After you are done using the certificate for file recovery, delete it from the hard disk. There is no need to export it again because it remains on the removable medium.

Note that in this process the private key for recovery always stays on a designated recovery computer. The recovery agent administrator could bring his or her private key to the owner's computer, but it is not a good security practice to copy a private key on another computer.