Jim Boyce of TechRepublic writes:

The Encrypting File System (EFS) enables users to securely encrypt files - a nearly effortless process because Windows 2000 automatically creates the keys needed to encrypt and decrypt the data. But if the user somehow deletes his or her EFS private key, the encrypted data could be inaccessible. However, Windows 2000 also creates a recovery agent key that can decrypt the data.

Windows 2000 encrypts files with the recovery agent’s public EFS key, as well as the user’s EFS key. This means you can use the recovery agent’s key to decrypt the files if the user’s key is lost.

By default, the local administrator account is the default recovery agent for computers in a workgroup. The domain administrator is the default recovery agent for computers in a domain.

To protect against inaccessible data if there’s a problem with the user keys, you should back up the recovery agent key on any systems that use EFS. To export the key on a workgroup computer, follow these steps…

[Continue reading Back up the recovery agent key]