U-Tools: Unique Tools for Windows System Administrators
U-Move Help

Moving EFS Recovery Agent Keys

The Encrypting File System (EFS) encrypts folders and files on the NTFS file system.

Recovery Agent

To protect against the accidental loss of your data, EFS provides for a recovery agent. A recovery agent is a privileged user account (e.g., Administrator) that can recover data from any encrypted file in the event that the original user forgets his/her password or if the original user's account is deleted. The recovery agent uses a special private key to recover encrypted EFS files. The private key is stored under the name of the recovery agent's account (e.g., Administrator).

The EFS Recovery Agent private key

When the Administrator account logs on to the first domain controller in a domain, Windows Server will automatically generate an EFS Recovery Agent certificate and store it in Active Directory. This allows the Administrator account to recover encrypted files using the corresponding private key.

However, the private key for the EFS Recovery Agent certificate is stored outside of Active Directory, in a secret location. It is stored only on the first domain controller in the domain. This means the Administrator must directly log on to the first domain controller in order to recover encrypted files. (Presumably for security reasons.)

If you shuffle domain controllers by (for example) adding a second domain controller and then you delete the first domain controller, you might lose the private key for your EFS Recovery Agent certificate. You will not be able to recover any previously encrypted EFS files. Once the private key is lost it can never be recovered.

U-Move copies the EFS Recovery Agent private key

U-Move will automatically copy the EFS Recovery Agent private key for the Administrator account (KB241201).

You do not need to take any action. U-Move will copy the private key automatically.

See also Changing the Domain Administrator Password.