ARCHIVED: At IU, how can I recover Windows encrypted files without a private key?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The Encrypting File System (EFS) is a component of the NTFS file system on Windows 2000, Windows XP Professional, and Windows Server 2003, and it allows users to encrypt files stored on their local computer or on a Windows 2000 or 2003 server. The encryption and decryption process requires either a private key stored in the user's profile, or a master recovery key stored by a designated "recovery agent". Users who choose to encrypt their files with EFS should always make backups of their private keys for safekeeping. In an emergency, such as a hard drive crash that removes or corrupts a user's private key, the master recovery key can restore encrypted files.

At Indiana University, the University Information Policy Office (UIPO) maintains a master recovery key for the IU Active Directory. If you forget a key or if your key is damaged, UIPO can use this domain master key to help you recover your own files. However, this is only possible if the file resides on a computer joined to the ADS domain and the user who encrypted the file is a domain user. If your computer does not belong to ADS, then your department's IT Pro or other representative might be able to recover department or user documents, subject to institutional guidelines. In either case, contact UIPO at If your request meets the guidelines set out in Policy IT-07: Privacy of Electronic Information and Information Technology Resources, and any other applicable IU policies, UIPO will contact you and explain how to proceed.

Generally, the support provider makes a Windows Backup copy of the encrypted file and gives a media copy to UIPO, which will then recover the file and return it using unencrypted, read-only media.

IT Pros who administer organizational units (OUs) can choose to disable file encryption entirely.

For help with server administration, registered IT Pros at IU can email Support Center Tier 2.

For more on the Encrypting File System, see the Microsoft TechNet article The Encrypting File System.

This is document aknh in the Knowledge Base.
Last modified on 2018-01-18 13:23:31.