EFS Recovery Agent Cannot Export Private Keys (259732)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q259732

SYMPTOMS

When you attempt to perform encrypted data recovery, the "Export Private Key" section of the Certificate Export Wizard is either skipped completely, or the Yes, export the private key option within the "Export Private Key" screen is inactive and cannot be selected. The No, do not export the private key option is the only valid selection. If the option to export the private key is inactive, the following error message is displayed:
Note: The associated private key cannot be found. Only the certificate can be exported.
Typically, the option to export the private key at the "Export Private Key" section of the Certificate Export Wizard is available.

CAUSE

This behavior can occur if the Administrator profile was overwritten with another user's profile. Users that belong to the local Administrator group can copy a user profile over another user's profile. This is typically done to replicate profiles with minimal effort. If this is done to the local Administrator profile, the computer no longer recognizes the administrator as a valid EFS Recovery Agent.

You may also experience this behavior if you made the request of the certificate server not to issue exportable certificates. The only way around this is to request a new certificate if you already have one issued.

IMPORTANT: Do not delete the existing certificate until all of the data has been un-encrypted and then re-encrypted.

NOTE: The default EFS Recovery Agent of a stand-alone Windows 2000 Professional-based computer that is not a member of a domain is local Administrator.

RESOLUTION

To restore the Recovery Agent's private key, use one of the following methods:
  • If the EFS Recovery Agent's private key was previously exported (for example, to a floppy disk), import the private key back into the Recovery Agent's certificate. You can do this using the steps in the following Microsoft Knowledge Base article:

    242296 How to Restore an EFS Private Key for Encrypted Data Recovery

    NOTE: If the computer is a member of a domain, a user that is a member of the domain administrators can be used to recover the data.
  • Restore the administrator's user profile from a backup that was made before the administrator's profile was overwritten.
  • Restore the data from a backup that you made before the data was encrypted using EFS.
You must extract the private keys from an EFS Recovery Agent whose profile is not overwritten. If this is a stand-alone computer, no other Recovery Agents may be available. If there is no other Recovery Agent available and the EFS private key is not backed up, the data is not recoverable.

MORE INFORMATION

For additional information about EFS in Windows 2000, click the article numbers below to view the articles in the Microsoft Knowledge Base:

241201 HOW TO: Back Up Your Encrypting File System Private Key in Windows 2000

255742 Methods for Recovering Encrypted Data Files

223316 Best Practices for Encrypting File System

242296 How to Restore an EFS Private Key for Encrypted Data Recovery

Additional EFS-related information is available at the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/dataprot/w2kadm21.mspx

Modification Type:MinorLast Reviewed:3/15/2006
Keywords:kbenv kberrmsg kbprb KB259732
©2004 Microsoft Corporation. All rights reserved.