SBS 2011 How To Backup Your EFS Recovery Agent Certificate

Backup your EFS what? That is the reaction I have had from most people I mentioned this to.

I am working on a document to walk through migrating Active Directory from SBS 2011 to Windows Server 2016. As part of that document I wanted to include backing up the EFS Recovery Agent Certificate. Only I couldn’t because on my SBS Server, something had broken.

First off, a bit of background. If you don’t know, EFS is the Encrypted File System that is built into Windows. It allows anyone to encrypt a file.

The encryption is done using digital certificates, and as part of that process, Windows assigns something called a Data Recovery Agent (DRA).

In most cases a DRA will be the Administrator. On a Workgroup PC, the Local Administrator.

In a Domain environment, it is specified in the EFS Policy, which is part of the Default Domain Policy. and by default it is the BuiltIn Administrator.

I don’t want to get too bogged down in how EFS works because there is plenty of better documentation out there on TechNet and other places. However there are some crucial pieces of information I want to touch on.

Firstly, you may know a digital certificate is made up of two keys, a public key and a private key. The private key, in this case is stored in a folder inside the users profile in C:\Users\<user>\AppData\Roaming\Microsoft\Crypto\RSA

Inside this RSA folder you will find a folder named after the SID of the user in question.

Inside this folder are all the private keys for the certificates the user holds.

Second, these keys are all themselves encrypted.

Thirdly, the Default Domain Policy lists only the public key of the DRA Certificate. This is to ensure that all domain PCs are protected by the same DRA. This is the EFS Recovery Policy

Lastly, the private key of the DRA certificate for your domain, is only available on the First Domain Controller in the domain.

In this example we can see the properties of an Encrypted file. Note the users certificate thumbprint, and the DRA certificate thumbprint.

So if you migrated your SBS from an earlier version, you would not find this on your SBS, but on the previous DC. In the case of a Domain that started on 2000 and moved to 2011 you would need to look on that 2000 server to find the key.

From reading that last paragraph you will no doubt already have an idea about whether or not you can recover your key. If you can’t, we can create a new DRA however any files already encrypted would likely be unrecoverable. More about that in a moment.

If your SBS 2011 was a clean install, you will need to first Enable the Built-in Administrator account.

In ADUC go to Users, right click Administrator, click on Enable. Do not Change the Password.

If you do not know the password, it will be set to the same as the Password created for your SBS admin account when you installed the Server.

This is where things got tricky for me. As I said above, the Private Key is encrypted. It is encrypted with the Password of the User Account, at the time the file is created. If the Password is any other value, your account cannot decrypt the key or use the certificate.

It doesn’t matter if the Password has been changed 100 times since install and now, as long as you can change it back to the exact value it was when the SBS was installed, you won’t have a problem.

Now connect to the SBS and logon as the Administrator account.

Open an MMC, and the Certificates snapin, for the My User object.

Expand Personal, Certificates.

You will see a Certificate, issued by Administrator for File Recovery. This is what we want!

Right click, go to all tasks and export.

Follow the Certificate Export Wizard, being sure to Export the Private Key.

If you see the option to Export the Private Key is greyed out, then your Administrator account Password does not match the value when the Server was installed.

Assuming your export was successful, you can log off and disable the Administrator account again.

Next we can import that Certificate into our SBS Admin user profile to allow us to unencrypt any files that have previously been encrypted using EFS, we can also make sure to store the PFX file with the private key safely somewhere so we don’t lose it again.

To import the certificate, simply follow the same instructions but choose import not export. Also chose to mark the private key as exportable so you can back it up later. You can also consider using Strong Private Key protection, or simply not importing the certificate again until it is required.

Now, if you do not know the password or, the SBS was migrated you probably wont be able to recover this key.

It is not a disaster, unless you need to use the DRA. and the circumstances that would lead to that can be quite convoluted, but as an example lets assume User A encrypts a file and loses their private key. That could be because they moved PCs, changed their password or left the organisation.

That file would be lost unless you can recover their private key. This scenario is why the DRA exists, an account designated as a DRA would be able to decrypt that file.

What to do next?

If you recovered your Private Key you can probably stick as is, the self generated key is valid for 100 years.

If you didn’t, We can add a new DRA to the Default Domain Policy to try and avoid any future issues.

You can also disable the use of EFS, but I don’t really want to advocate for that!

Open up Group Policy Management, Find the Default Domain Policy.

Right click that and go to Edit.

Expand Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies

Find Encrypted File System. In the details pane you will see the existing certificate.

Right click the details pane, and click New > Create Data Recovery Agent.

A new DRA is added to the policy, for the account you are logged on with.

If we go back to the Certificates MMC for the SBS Admin we can see our new EFS Recovery

We can now export and safely store this certificate.