Removing the Private Key In Windows XP


To prevent someone from simply logging on as Administrator and viewing another user’s encrypted files, you can export and remove the data recovery agent’s private key. Keep the key in a secure location—without it you can’t use the file recovery certificate.

To remove the data recovery agent’s private key, follow these steps:

1. Log on to the account you designated as a data recovery agent.

2. In Certificates (Certmgr.msc), select Certificates–Current User\Personal\Certificates.

3. Right-click the File Recovery certificate (identified in the Intended Purposes column), and then choose All Tasks, Export to launch the Certificate Export Wizard. Click Next.

4. Select Yes, Export The Private Key, and then click Next.

5. Select both Enable Strong Protection and Delete The Private Key If The Export Is Successful, and then click Next.


6. Enter a password twice, and then click Next.

7. Specify the path and file name for the exported file.

8. Click Next and then click Finish.

As with the file recovery certificates, you should copy the file to a removable disk, store it in a secure location, and remove the file from your hard disk.

The data recovery agent’s public key is now used to encrypt a copy of the FEK with each encrypted file, but because the private key is not available, the data recovery agent can’t view the files. To reestablish the data recovery agent’s access to encrypted files, import the private key you just exported, using the same procedure as for importing a personal certificate.