Microsoft Office Tutorials and References
In Depth Information
Using File Encryption
Setting Up a Recovery Agent
What happens to your data if some day you forget your password and someone
has to set you a new one, or if you are forced to reload Windows 8 because of
a major Windows or hardware failure? In all these events you end up losing
access to any files you encrypted earlier because of the way the encryption
system is safeguarded. If you encrypt files on your computer, you want to make
sure that they are safe and no one but you can read them. Windows needs to
make sure that your encrypted files can be decrypted only by the account that
If someone else has an Administrator account on your computer, he is capable
of setting a new password for your account and logging on using your username
and password. Typically, anyone logging on to your account has full access to
all your encrypted files; however, in the preceding scenario, to protect your files
Windows removes access to them so that even your account can no longer access
the files. This feature has both good and bad effects. It is very good because it is
smart enough to protect your data from an untrusted administrator; however,
you can also lose access to your own documents. There is a solution to this
dilemma. By using local group policy, you can specify a Recovery Agent that
will always give you the ability to decrypt your own files.
This works by instructing the encryption system to add an extra certificate
reference to the file when it is in the process of encrypting. This extra certificate
reference belongs to what is commonly called the Recovery Agent . Setting up the
Recovery Agent is two-fold. First you must generate the certificate assigned to
the Recovery Agent. Then you need to set up the encryption system to use it.
Follow these steps to get your Recovery Agent up and running:
1. Log on to an account on your computer that is a member of the Administrator
2. Open the Start screen, type cmd , and hit Enter.
3. Once Command Prompt is shown, type in mkdir c:\RA and hit Enter.
4. Then type cipher /r:c:\RA and hit Enter.
5. When prompted, type a password to protect the Recovery Agent
certificate, and then press Enter. You have to do this a second time to confirm
the password was entered correctly.
When the command is finished, it will have generated two files: recovery
.cer and recovery.pfx. I go into more detail on these files later.
6. Open the Start screen, type secpol.msc , and press Enter.
7. Expand Public Key Policies, right-click Encrypting File System, and then
select Add Data Recovery Agent.