Back up encryption certificates
A data encryption certificate is generated automatically when you install Windows 2000 and is used to encrypt and decrypt data stored on NTFS volumes using the Encrypted File System (EFS). If you encrypt a file using EFS and then reinstall Windows 2000, the original certificate used to gain access to the file(s) will be destroyed and those files will be rendered unrecoverable.
To avoid this scenario, export a copy of the certificate if you plan on doing a reinstallation or if you simply want to keep a copy of the certificate handy offline in the event of a disaster.
- In Control Panel, open Administrative Tools, then Local Security Policy.
- In Local Security Settings, open Public Key Policies | Encrypted Data Recovery Agents.
- Right-click on the certificate listed there. There should generally be only one, issued by and
to "Administrator," with the "Intended Purposes" column reading "File Recovery."
- Select All Task | Export from the right-click menu, and click Next to start the Certificate
- Select "Yes, export the private key." Click Next.
- Under "Personal Information Exchange," check off all the boxes EXCEPT "Delete the private key
if the export is successful." Click Next.
- Choose a password to protect the private key. Click Next.
- Choose a file to export the certificate to.
- Click Next and then Finish to export the certificate.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
This was first published in January 2002