Archive

Archive for the ‘Data Recvoery’ Category

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:\> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:\> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:\> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:\> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:\> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:\> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C:\ $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C:\ Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:\> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:\> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:\> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:\> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:\> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:\> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C:\ $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C:\ Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

Windows Server 2012 Active Directory Certificate Services System State Backup and Restore

March 22nd, 2013 No comments

Windows Server 2012 System State Backup allows an administrator to back-up several Operating System components including those required for a successful restore of a Certification Authority. Any certification authority backup should include the private key, certificate database, logs and the certification authority’s registry configuration.

Windows Server Backup Feature should be installed on the certification authority to take a System State Backup. It has been enhanced in Windows Server 2012 to allow the administrator to take a System State Backup using the feature’s Graphical User Interface (GUI), and the command line. Furthermore, System State Backup in Windows Server 2012 allows the administrator to back-up the certification authority’s Private Key without the need to install any hotfixes.

Note: Windows Server 2008 and 2008 R2 required installing a hotfix to back-up the private key using System State Backup

Steps Required to Back-up the Certification Authority Using System State Backup

 There are two easy steps to prepare the certification authority for a System State Backup.

1.      Install Windows Server Backup Feature

2.      Schedule a System State Backup

Install Windows Server Backup Feature

 Windows Server Backup is not enabled by default on Windows Server 2012. The feature needs to be installed before taking or scheduling a System State Backup.

1.      Log on to the certification authority and select Manage in Server Manager

2.      Click Add Roles and Features

3.      Click Next in Before you begin screen

4.      Select Role-based or feature-based installation and then click Next

5.      Select the local server in Select destination server screen

6.      Click Next  in Select server roles screen

7.      Select Windows Server Backup in Select features  screen and then click Next

8.      Select Install in Confirm installation selections screen

9.      Click Close

Note: The Winddows Server Backup feature can be installed using Install-WidnowsFeature –name Windows-Server-Backup cmdlet

Schedule a System State Backup

 Windows Server Backup allows administrators to back-up the system to a non-critical volume only, setting a registry key as described in KB944530 provides a workaround to this limitation, but it is not recommended to run in production because it might cause a critical volume to fill up quickly. In general, make sure you have a volume, or disk or network share designated to a certification authority’s backup other than your c: drive.

Using the Graphical User Interface (GUI)

1.   Log on the certification authority and select Tools in Server Manager

2.   Click Windows Server Backup

3.   Select Local Backup

4.    Click Backup Sched

5.    Click Next in Getting Started screen

6.    Click Custom – I want to choose custom volumes, file for backup and then click Next

7.    Click Add Items in Select Items for Backup screen

8.    Select System State and then click OK

9.    Click Next in Select Items for Backup screen

10.  Choose the backup run time frequency in Specify Backup Time and then click Next

11.  Select the backup destination in Specify Destination and then click Next

Note: The rest of this document assumes having a dedicated volume to back-up the certification authority to. The wording might be slightly different is you chose a network share for your backup location.

12.  Click Add in Select Destination, select the dedicated volume and then select OK

13.  Click Next

14.  Review the scheduled backup settings in the Confirmation screen and then click Finish

Using the Command Line

Windows Server Backup can be configured using the command line. The command line tool Wbadmin has many verbs that can identify backups, volumes, disks, create jobs and many more. The disk identifier has to be known before scheduling any backup job.

The disk identifier is retrieved by running Wbadmin get disks

 

Note the Volumes label in the screen shot. The scheduled backup should target non-System Reserved volumes. The volume that has the Disk Identifier {eb9c44d8-0000-0000-0000-000000000000} is the clear choice for the backup files.

The next step is creating a scheduled task to take a System State Backup to the volume specified. This is also achieved using the Wbadmin command line tool with the enable backup verb. For example, run the following command to set up a backup job to run daily at 10:00 PM and include System State Backup

Wbadmin enable backup –addtargret: {eb9c44d8-0000-0000-0000-000000000000} –schedule:22:00 –SystemState

 

Note: If you prefer to take a one time System State Backup, then run Wbadmin Start SystemStateBackup –backuptarget:<non-critical volume DriveLetter> 

Using PowerShell

 Setting a schedule System State Backup might seem intimidating at first. The tasks involve creating a backup policy, a backup directory, a schedule, and then trying all of that to the policy. Let us go through them one at a time

 The first command stores the result of the New-WBPolicy cmdlet in the variable named $Policy

  PS C:> $Policy = New-WBPolicySetting the volume as the System State Backup Path

This command creates a WBBackupTarget object that uses a volume with drive letter E: as the backup storage location. You can add multiple volumes for storage to the WBPolicy object that contains the backup policy.

 PS C:> $volumeBackupLocation = New-WBBackupTarget -VolumePath E:
 
This command adds the system state to the backup policy in the $Policy variable.
 
 PS c:> Add-WBSystemState -Policy $Policy 
 This command adds the backup location – volume E - to the backup policy in the $Policy variable
 
 PS C:> Add-WBBackupTarget -Policy $Policy -Target $volumeBackupLocation
 

This command sets the backup schedule configured in the $Policy variable to run daily at 10 PM

 
 PS C:> Set-WBSchedule -Policy $Policy –Schedule 22:00:00
 

This is the last command, where it sets the backup schedule based on the$Policyvariable

 

 PS C:> Set-wbpolicy –policy $Policy

  

Steps Required to Restore the Certification Authority from System State Backup

 The steps listed in this section detail three different approaches to restore the certification authority using Windows Server Backup Graphical User Interface (GUI), Windows Server Backup Command Line, and Windows Server Backup PowerShell.

General Steps Required to Restore the Certification Authority

The general steps to restore the certification authority are the preliminary steps required before attempting any other restore activity. These steps are:

1. Install Windows Server 2012 Standard or Datacenter Edition depending on the certification authority’s previously installed operating system version.

2. Join the server to the same domain or workgroup

3. Access to System State backup media

4. Install Windows Server Backup Feature

Restore the Certification Authority Using Windows Server Backup GUI

1. Select Tools in Server Manager

2. Select Windows Server Backup

3. Select Local Backup

4. In Actions menu, select Recover

5. In Getting Started window Select This Server (local Servername) and then select Next

 

 

5. In Select Backup Date window, choose the backup to restore from and then click Next

 

6. In Select Recovery Type window, select System State and then then click Next

 

 

7. In Select Location for System State Recovery window, select Original Location and then click Next

 

8. Review your selections in the Confirmation window, make sure Automatically reboot the server to complete the recovery process is selected and then click Recover

 

9. Click Yes in the screen warning you about the ability to cancel, or pause System State backup once the recovery operation is started

 

10. At this point, System State recovery will restore the certification authority, and automatically reboot the server

 

11. Press Enter to continue after you log on the server after it reboots to confirm System State recovery

 

 

Restore the Certification Authority Using Windows Server Backup Command Line

1. Start the Command Prompt (Admin)

2. List the backup history by running wbadmin get versions and note the version identifier of the latest backup. The backup’s Can recover value should clearly indicate System State is included in the backup.

 

3. Start System State recovery by typing wbadmin start Systemstaterecvoery –version:<version identifier value> -backuptarget:<Backuplocation>

For example, the version identifier from my latest backup is 03/14/2013-04:03 and stored on C: , hence the command is wbadmin start systemstaterecovery –version:03/14/2013-04:03 –backuptarget:c:

 

4. Type Y and the then hit Enter to start System State recovery

 

5. Type Y and then hit Enter to confirm. System State recovery will start restoring files

 

 6. Type Y and then hit Enter to restart the system to complete the System State restore

 

Restore the Certification Authority Using Windows Server Backup PowerShell Cmdlets

1. Start PowerShell as an Administrator

2. Set the $Backup variable using Get-WBBackupset cmdlet

             PS C: $Backup = Get-Wbbackupset

3.  Start the system state recovery from the backup set in $Backup.

             PS C: Start-WbSystemStateRecovery –backupset $Backup

 4. Type Y when prompted to restore System State to the original location

  

 5. Type Y to confirm the required system restart

Amer F. Kamal

Sr. Premier Field Engineer

 

 

Key Recovery vs Data Recovery Differences

October 28th, 2011 No comments

I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. As a result, This Blog will focus on both areas, explaining the differences and best practices.

Both methods can easily be understood, after understanding the Encrypting File System (EFS) process in a domain environment including certificate enrollment and file encryption 

EFS Certificate Enrollment:

 When a user attempts to encrypt a file without having an EFS certificate the following process takes place: 

  1. The user’s registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash) is queried for an Encryption Certificate
  2. If there isn’t a default certificate, then the user store is queried for any viable certificate with the Encrypting File System Object Identifier  OID (1.3.6.1.4.1.311.10.3.4.)
  3. If there isn’t a viable encryption certificate, then the user will request an Encrypting File System certificate based on the BasicEFS template from an Enterprise CA, or any other template superseding it.
  4. If the BasicEFS template is not available at any Enterprise CA, and any other template for EFS is not available then the computer will generate a self-signed EFS certificate. 

Note: I am not a big fan of self-signed certificates especially when there are Enterprise Issuing CAs in a given Active Directory Forest. As a result, I recommend disabling the machine’s ability to generate an EFS Self-Signed certificate using the hotfix for Windows XP or Windows Server 2003

Windows Server 2008 and Windows 7 have a group policy setting which can disable the generation of an EFS Self-Signed certificate simply by unchecking the option to “Allow EFS to generate self-signed certificates when a certification authority is not available.

 

 

File Encryption Process:

 Once the user has a valid Encrypting File System (EFS) certificate, then they can encrypt their files and folders following this process:

  1. The user’s computer generates a random symmetric encryption key called File Encryption Key (FEK)
  2. The computer retrieves the user’s Encrypting File System (EFS) certificate in the user store and obtains the user’s Public Key
  3. The FEK created in step one is encrypted by the user’s Public Key in step 2 

For more information about EFS Encryption, refer to How EFS Works on TechNet

Why Should I Implement Any Recovery Method?

An organization’s security policy typically lists the following reasons for allowing data or key recovery: 

  1. A user profile is deleted. When an encryption private key is stored in a user’s profile folder, the private key is lost if a anyone deletes that specific profile. Many organizations use profile deletion to fix problems with user logon. For example, if the desktop fails or takes a long time to appear, many organizations prescribe deleting the user’s profile and generating a new profile. This results in deletion of the user’s private key material.
  2. A hard disk is corrupted. The corruption of a hard disk can cause users to lose access to their profiles. This can mean a total loss of access or loss of access to the private key material within the user profile.
  3. The operating system is reinstalled. When the operating system is reinstalled, access to the previous user profiles is lost, including any private keys stored in the user’s profile.
  4. A computer is stolen or lost. When a computer is stolen or lost, access to the private key material in the user profile is lost or compromised.

Note: A difference among the reasons listed, however, is that a computer theft or loss can mean the user’s private key is compromised and, therefore, the certificate associated with the private key should be revoked. There is no reason to revoke the certificate for the other reasons in this list because the user’s private key is not compromised.

Where is the File Recovery Agent role in the File Encryption Process?

If your domain has a designated File Recovery Agent certificate enrolled, also known as the Data Recovery Agent, then the computer will retrieve its information from the local computer configuration – deployed through Group Policy – extract the Public Key from the recovery agent’s certificate, and encrypts the File Encryption Key (FEK) with it. This process will apply to all the Data Recovery Agents in the domain. 

Where is the Key Recovery Agent Role in the File Encryption Process?

This is not a trick question; the Key Recovery Agent (KRA) certificate doesn’t come to play at all when encrypting a file a folder. Key Recovery Agent (KRA) is enrolled using the Key Recovery Agent Certificate Template, and then added to the CA configuration. The Key Recovery Agent (KRA) can extract the end user’s Encrypting File System (EFS) Private Key and Certificate from the CA’s database, which in turn can be used by the end user to decrypt their files.

When a certificate template specifies Key Archival, the private key with a certificate request must be securely transmitted from the requesting client computer to the Certification Authority for archival in the CA database. When a client requests a certificate that has Key Archival enabled, the following process takes place:

  1. The client queries the Enrollment Services container in the configuration partition of Active Directory to find an Enterprise CA
  2. The client requests the CA’s CA Exchange Certificate
  3. The client examines the received CA Exchange certificate to ensure it was signed by the CA’s signing certificate, and performs a certificate validation and revocation status check on the CA Exchange certificate
  4. The client encrypts the private key corresponding to the request using the CA Exchange certificate’s public key and send the request to the Certification Authority
  5. The Certification Authority verifies that the encrypted private key is the matched key to the public key, validates the signature on the request with the Public key in request to ensure the contents were not tampered with.
  6. The Certification Authority encrypts the user’s request with a random symmetric key and then encrypts the symmetric key with one or more Key Recovery Agent (KRA) public keys defined in the Certification Authority’s properties
  7. The Certification Authority saves the encrypted key  BLOB which contains the encrypted private key and the symmetric key encrypted with one or more Key Recovery Agent (KRA) public keys
  8. Lastly, the Certification Authority processes the request and issues a certificate to the requestor.  

Which Method Should I Use?

There isn’t a correct answer for this question. It all depends on your company’s policies and procedures. It is also important to note that the person or group performing Key Recovery or File Recovery should be trustworthy and held to the highest levels of scrutiny. Understanding the difference between Key Recovery and File Recovery Procedures can help you determine the correct answer to your infrastructure’s requirements.

With Key recovery. The user’s original certificate and private key are recovered from the CA database and restored to the user’s profile. Recovery of the user’s certificate and private key allows the user to access the FEK stored in the EFS-encrypted file, returning access to the file to the user.

The major advantages for Key Recovery are: 

  1. Quick EFS decryption resolution by restoring the user’s Private Key and Certificate
  2. The data doesn’t leave the end user’s computer

The major disadvantages of Key Recovery are: 

  1. The CA has to be prepared for Key Archival and requires the enrollment of Key Recovery Agents before rolling out EFS
  2. The restore of the Private Keys might be a little complicated if the user has multiple Encrypting File System (EFS) certificates.
  3. The Certification Authority must be installed on the Enterprise or Data Center SKU of the Operating System

Data recovery on the other hand, allows a designated EFS Recovery Agent to decrypt all EFS-encrypted files on a computer. By default, where the private key associated with the EFS Recovery Agent certificate exists – which can be a designated recovery computer, or the end user’s computer.

The major advantages of Data Recovery are: 

  1. Data Recovery Agents can be added to the File Encryption Key (FEK) after a user had already encrypted their files. This means a new Data Recovery Agent can be enrolled and added to the domain group policy, which allows the new Data Recovery Agent to recovery encrypted files
  2. The Data Recovery Agent can decrypt the files for the end user
  3. Data Recovery Agents can decrypt files and folders encrypted using self-signed encryption certificates or an encryption certificate issued by an enterprise issuing CA.
  4. It doesn’t have any Certification Authority operating system pre-requisites 

The major disadvantage of Data Recovery is the recovery method itself, because the Data Recovery Agent has to decrypt the end user’s files either on premise or remotely. This can have a significant impact on data transfers from remote sites to hub sites, or vice versa because the encrypted/decrypted data has to be copied twice.

Common Misconception:

A common misconception is that the Administrator account is the Data Recovery Agent (DRA) or the Key Recovery Agent (KRA). Both recovery methods rely on the certificates (Private and Public Key Pairs) of the KRA and DRA, which means anyone who has possession of them can recover keys.  If an end user manages to possess the Data Recovery keys as an example, then they can decrypt any encrypted file in the organization. As a result, you should protect these keys, and establish a chain of custody anytime the key is used. 

Conclusion:

Encrypting File System (EFS) shouldn’t be implemented without proper planning because of complexities in Data and Key Recovery. Make sure to understand both recovery methods before enrolling the first EFS certificate, and test recovery multiple times in a lab environment. Lastly, consider implementing both methods for extra recovery protection

Amer F Kamal

Senior Premier Field Engineer