Windows Encryption Software

Curtis Maurand cmaurand at
Fri Dec 10 09:06:09 CST 2010

On 12/10/2010 9:33 AM, Michael Holstein wrote:
>> After some research, I find that recovery of EFS (available for Win
>> 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be
>> problematic.  It has to do with keys, file ownerships, etc., etc.,
>> etc.  Plan for disaster and know how to recover before you encrypt
>> with EFS.
> This is an interesting point .. it depends on what the "disaster" is
> that you plan for.
> In many cases, the "disaster" is the seizure or loss of the device, it
> which case it's appropriate NOT to have any method of key recovery. In a
> corporate context, it's debatable if key escrow and multikey methods
> mitigate the risk or compound it.
Good point, but I'm thinking in terms of failure of the machine that 
physically houses the files.  You and I both know that you're not going 
to be able to replace server hardware with identical hardware and even 
if you do, the Windows SID will change.  Restoring the system state is 
going to be a useless exercise.  Therefore you will need the keys to 
decrypt/re-encrypt the files on a new device after you restore from 
backup.  If the disk is lost or stolen, then hell no, I don't want the 
thief to be able to restore the data.

All of this is moot if you're running in a virtual environment and you 
have good snapshots/backups of your VM.


More information about the NANOG mailing list