You have a computer that runs Windows 7. You create an Encrypting File System (EFS) recovery key
and certificate.
You need to ensure that your user account can decrypt all EFS files on the computer.
What should you do?
A.
From Credential Manager, add a Windows credential.
B.
From Credential Manager, add a certificate-based credential.
C.
From the local computer policy, add a data recovery agent.
D.
From the local computer policy, modify the Restore files and directories setting.
Explanation:
EFS Recovery
Recovery Agents are certificates that allow the restoration of EFS encrypted files. When a recovery
agent has been specified using local policies, all EFS encrypted files can be recovered using the
recovery agent private key. You should specify a recovery agent before you allow users to encrypt
files on a client running Windows 7. You can recover all files that users encrypt after the creation of a
recovery agent using the recovery agent’s private key. You are not able to decrypt files that were
encrypted before a recovery agent certificate was specified. You create an EFS recovery agent by
performing the following steps:
1. Log on to the client running Windows 7 using the first account created, which is the default
administrator account.
2. Open a command prompt and issue the command Cipher.exe /r:recoveryagent3. This creates two files: Recoveryagent.cer and Recoveryagent.pfx. Cipher.exe prompts you to
specify a password when creating Recoveryagent.pfx.
4. Open the Local Group Policy Editor and navigate to the \Computer Configuration\Windows
Settings\Security Settings\Public Key Policies\Encrypting File System node. Right-click this node and
then click Add Data Recovery Agent. Specify the location of Recoveryagent.cer to specify this
certificate as the recovery agent.
5. To recover files, use the certificates console to import Recoveryagent.pfx. This is the recovery
agent’s private key. Keep it safe because it can be used to open any encrypted file on the client
running Windows 7.