Creating a Data Recovery Agent

Imagine a scenario, where you are the System Admin of an organization, using Windows domain. There is a guy in the organization who has fought with his manager, and is now resigining from his post. This disgruntled employee, may have the idea of encrypting all the company’s data from his own user account before leaving. If he encrypts all the data, we do not have the key to decrypt, and that’s a big loss.

How to overcome this? Answer is data recovery agent.

The public and private keys come in picture – while creating a data recovery agent, you are providing the public key to employees, while the private key is available only to the admin. Hence whenever a guy encrypts any data on his machine on Windows domain, he’ll need the public key to encrypt, but he cant decrypt someone else’s data as the private key is not available with him. This provides Data Integrity and Confidentiality.


You’ll need a Windows server 2008 as a server machine, and a client such as XP or Windows 7.

On the server machine, start the command prompt.

First step is to create a set of public and private keys.

Create a directory named ‘certi’ for storing the keys and then go to that directory with the following commands

mkdir certi

 cd certi

Now, to create a pair of keys, the command is as below:

cipher /R:certi_file

This command will ask you to provide a password for the keys. Two files will be created. File with extension “.cer” is the public key (which we need to provide to the client) and “.pfx” is the private key (to be kept secret).


Now, in the same server machine, run the command ‘certmgr.msc’

This will open a windows where you can edit the available certificates. Import our private key by-

Right click ‘Trusted Root Certification Authorities’ > All Tasks > Import


You will get a prompt where you have to specify the path for your private key.

Provide the “.pfx” file path and then you’ll be asked for the password of your key pair.


The configuring of your server is complete.

Now enter the client machine with Administrator credentials.

Go to Control Panel > Administrative Tools > Local Security Policy > Public Key Policies

Right click Encrypting File System > Add Data Recovery Agent


In the Wizard, click Next and Browse Folders.

Locate the “.cer” file in the client machine and provide it for installing.

ImageThe configuration of our client is over.

Now to verify the Data Recovery Agent, log-in to the client as testuser1.

Create a file named ‘impdata.rtf’ and provide some text input.

Now encrypt that file by

Right click file > Advanced > Check the Encrypt contents to secure data option


We have encrypted our file with the Admin’s public key. 

Whenever someone else, other than the one with private key, will try to open our file, that user will not be able to see its contents.

Login with testuser2, and try to access the file. You’ll be denied.


But the Administrator has the private key, and he can view the contents of the file.

Login to the client as Administrator, and you’ll be able to read the file.