Recovery Certificates and Encrypted Files in Windows 7

Encryption keys are generated in order to restrict access to your encrypted files, but they sometimes work too well. If your encryption key ever becomes lost, damaged or otherwise corrupted, then even you will be locked out from accessing your encrypted data. Thankfully, The Windows 7 Operating System has a very effective and efficient protocol for handling such issues.

Windows 7 utilizes recovery certificates as a means of restoring access to your protected files in the case that your specific encryption key is ever lost or damaged, and it is a rather simple and straightforward process. It is important to note, however, that this method may not work on versions of Windows 7 Starter, Windows 7 Home Basic and Windows 7 Home Premium.

Creating a Recovery Certificate

The first step is to create a unique recovery certificate. This file should always be created and stored on removable media such as a disc or USB drive, but there are otherwise no restrictions associated with the creation and storage of the certificate itself.

Insert your external media and open the Windows 7 Command Prompt by clicking the "Start" button and typing "Command Prompt" in the search box. Scroll through the list of results to find "Command Prompt" and select it to begin.

Next, you will need to locate the drive letter of your removable media; we'll use drive "X" for this example. Type "cipher /x:filename" into the Command Prompt to begin the recovery certificate creation process. Note that "X" should be replaced with the drive letter of your removable media and "filename" should be replaced with the name you want to use for the recovery certificate itself.

Installing a Recovery Certificate

With your removable media inserted, click on the Windows 7 "Start" button, type "secpol.msc" into the search box and press Enter. Double-click "Public Key Policies" from the windowpane that appears on the left side of the screen, right-click "Encrypting File System" and finally click on "Add Data Recovery Agent."

After the Microsoft Windows 7 Data Recovery Agent loads, click "Next" and choose your specific recovery certificate. Click the filename of the certificate and then click "Open." Click "Yes" when asked if you want to install the certificate, then click "Finish" to end the process.

The final step to installing a Microsoft Windows 7 recovery certificate is to reopen the Command Prompt, type "gpupdate" and press Enter. This will finalize the entire installation process, thus allowing you to recover your encrypted files as if you still had the original encryption key.

Updating a Recovery Certificate

Some users may need to update their previously encrypted files with a new recovery certificate. This is easily done by opening the Windows 7 Command Prompt, typing "cipher /u" and pressing the Enter key. Note that you will need to be logging into the original account that first encrypted the files to be updated, so will you need to have the account name and password handy. It is also important to note that if you choose to cancel the updating process that your files will automatically be updated upon the next time they are used.


