To create a recovery agent you first need to create a data recovery certificate. Usually, the recovery agent is assigned to the Administrator account, although you can select a different user account or create a new one if you so wish.
To generate a recovery certificate, log on as the Administrator (for example) and at a command prompt, type:
Note that “filename” should be replaced with a name of your choice. Then, when prompted, type a password to create two files with the extensions .cer and .pfx.
Be aware that the presence of these files allows anyone to become a recovery agent. So after creating the files, they should be moved to floppy, for example, and then safely stored elsewhere. We’ll show you how to do that later in the series.
To create a recovery agent, remain logged on to the Administrator account.
* Click Start, Run, and type certmgr.msc to open the Certificates console.
* Go to Certificates – Current User\Personal, and choose Action, All Tasks, and Import to launch the Certificate Import Wizard.
* Click Next, and the File To Import page appears.
* Click Browse, and then select Personal Information Exchange in the Files Of Type box to see .pfx files.
* Select the .pfx file you created earlier, click Open, and then click Next.
* Enter the password you have already assigned to the certificate, and then select Mark This Key As Exportable.
* Click Next.
* Choose Automatically Select The Certificate Store Based On The Type Of Certificate.
* Click Next, and then click Finish.
Close the Certificates console, and click Start, Run and type secpol.msc. This opens the Local Security Settings console.
* Go to Security Settings\Public Key Policies\Encrypting File System, and choose Action, Add Data Recovery Agent. Click Next.
* Click Browse Folders and navigate to the .cer file you created earlier.
* Select the file and click Open. Click Next.
* The recovery agent is shown as USER_UNKNOWN. This is normal since the name isn’t stored in the file. Click Finish.
That’s it. The current user account is assigned as the recovery agent for all encrypted files on the system. So if something should happen to your own user account, you will still have the ability to log on to this account and recover the encrypted files.