DATAPLUS - #1 Data Recovery Agency
Any EFS-encrypted file can be decrypted and read by an administrative account using the data recovery agent. An X.509 certificate has been provisioned into the DRA account. Every EFS file is encrypted with a second protector that the DRA certificate can unlock. As a result, both the DRA and its certificate are extremely delicate. Protect it and only use it when absolutely necessary. The DRA should not be used as a typical account or frequently by administrators. An individual File Encryption Key (FEK) is encrypted into each EFS-encrypted file. The FEK is made in two separate copies when a DRA is assigned: The user public certificate encrypts one, while the DRA public certificate encrypts the other. The encrypted file contains both encrypted FEKs. This enables the DRA to recover the file even if the user’s encryption certificate is lost, allowing both the user and DRA to decrypt the file independently. While maintaining DRA access, an administrator can also deny users access to the