Re: File/Folder Encryption

Yes, it's good enough. You need to designate a Data Recovery Agent for your
domain - this is a user account that can recover encrypted files in the
event some issue prevents decrypting them in the ordinary way. Examples of
this would be if a wise guy encrypts company data upon quitting or being
fired, or if the user's certificate on the client PC were corrupted or
deleted somehow (I've never heard of this happening).

I'm not 100% sure if SBS or Windows Server create a recovery agent by
default, or if you have to do it manually. You can check for this by
logging into the server and doing Start -> Run -> Rsop.msc. Under Computer
Configuration, navigate to Windows Settings -> Security Settings -> Public
Key Policies. Click on Encrypting File System and make sure a recovery
agent is designated with a certificate that is not expired. If not, go to
Group Policy Managemennt and create a new policy (or edit an existing one)
by finding the same setting. Then r-click Encrypting File System -> Create
Data Recovery Agent.

On the laptop, create a test directory and encrypt it. Add a file, which
should be encrypted automatically. Open the file's properties and click
Advanced (on the General tab). Click the Details button and make sure the
recovery agent is listed.

I use the Administrator account as the recovery agent - do what you want in
this regard, but make sure to use an account that will never be deleted.

By the way, the recovery agent can recover the files in one of two ways:
log into the client PC and install the recovery certificate to decrypt the
files there, or the preferred method, which is to back up the files from the
client PC and restore them to the server (they will remain encrypted in the
backup and restore). Install the certificate on the server and decrypt the
files there, then put them back to wherever you need them.

Encrypt directories rather than individual files, and don't attempt to do
the whole drive - just do My Docs and/or whatever data directories are
appropriate. You can't/shouldn't encrypt OS files, and encryption adds
overhead, so it's best to encrypt only what's necessary.

"John" <nomail@xxxxxxxxxxxx> wrote in message
news:eB1SW66HHHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I'd like to know if the included File/Folder encryption utility builtin to
XP is good enough for end users on the road with their laptops, in case
their laptops got stolen?

Or how easy to recover their files in case one needs them?

Appreciate your opinion.


.