Any EFS-encrypted file can be decrypted and read by an administrative account using the data recovery agent. An X.509 certificate has been provisioned into the DRA account. Every EFS file is encrypted with a second protector that the DRA certificate can unlock. As a result, both the DRA and its certificate are extremely delicate. Protect it and only use it when absolutely necessary. The DRA should not be used as a typical account or frequently by administrators.
An individual File Encryption Key (FEK) is encrypted into each EFS-encrypted file. The FEK is made in two separate copies when a DRA is assigned: The user public certificate encrypts one, while the DRA public certificate encrypts the other. The encrypted file contains both encrypted FEKs. This enables the DRA to recover the file even if the user’s encryption certificate is lost, allowing both the user and DRA to decrypt the file independently.
While maintaining DRA access, an administrator can also deny users access to the encrypted file. Because only one recovery certificate that can access each file needs to be stored, the amount of information that is saved is reduced.
Imagine an office building with a lot of offices and key locks on the doors to show how a DRA works. For the purposes of this illustration, each employee (user) must be able to unlock their office door. They may have multiple offices. Additionally, DRA maintenance personnel must be able to unlock each door. In this scenario, maintenance personnel would require a copy of each key, and each employee would require a key for the one or more doors they must unlock. The number of keys being used would quickly increase as a result of this.
Installing two copies of the door-unlocking key (FEK) in a lockbox next to the door they unlock is one way to address this issue. The lock box can be opened with the key held by both the worker and the maintenance person. In this manner, each individual only requires a single key to open any accessible door. Only the key boxes need to be changed to update access.
The DRA was designed to be used in a business setting. It is based on a Microsoft Windows policy framework like Microsoft Endpoint Configuration Manager, Microsoft Intune, or Microsoft Active Directory Group Policy.
The generation of a Data Recovery Agency key (DRA key) is the first step in the process of creating a DRA. The recovery key will come from this certificate, which contains a pair of public and private keys. The Windows executable cipher can be used to generate it. [Run the order “figure/r: FILENAME” to produce files with the extensions.cer and.pfx.] A public key infrastructure (PKI) can also be used to generate the certificate.
The user must open the Group Policy Object Editor and navigate to ConfigurationWindowsSettingsSecuritySettingsPublic Key Policies. Encrypting File System, right-click on Encrypting File System in the right-hand pane, and select Create Data Recovery Agency to deploy a DRA using Microsoft Active Directory Group Policy. Using the pre-generated certificate or a user account with a published certificate from Active Directory will launch a wizard for adding the DRA to the domain.
The user must create a configuration item in the configuration item’s node in Microsoft System Center Configuration Manager (SCCM) and select Windows Information Protection for the device settings to configure in order to deploy a DRA for WIP using Microsoft Endpoint Configuration Manager. The WIP policy is then created using the wizard. “Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data” is the first step in the setup wizard, where the user can browse to select the created Data Recovery Agency certificate.
