This way each person only needs one key to open any door they have access to. Both the employee and maintenance person can use their key to unlock the lock box. This would result in the number of keys in use quickly getting out of control.Ī solution to this problem is to have two copies of the key that unlock the door (FEK) installed in a lock box next to the door they unlock. In this scenario, each employee would need a key for the one or more doors they need to unlock, and maintenance personnel would need a copy of every key. At the same time, maintenance personnel (DRA) also need to be able to unlock every door. Each worker (user) needs to be able to unlock their office door, and for the sake of this illustration they may have more than one office. To illustrate how a DRA works, imagine an office building with many offices and key locks on the doors. This reduces the amount of information that is saved because only one recovery certificate needs to be stored that can access every file. This allows both the user and DRA to decrypt the file without the other, and the DRA can recover the file even if the user encrypting certificate is lost.Īn administrator can also revoke user access to the encrypted file, while maintaining access by the DRA. Both encrypted FEKs are stored with the encrypted file. With an assigned DRA, two separate copies of the FEK are made: one is encrypted by the user public certificate, and the other is encrypted by the DRA public certificate. It is not recommended to have the DRA be a normal account or one in regular use by administrators.Įach EFS encrypted file has a unique File Encryption Key ( FEK), which is also protected by encryption.
It should be protected and only used when needed.
This makes the DRA and its certificate extremely sensitive. A second protector is added to every EFS file at encryption that the DRA certificate can unlock. The DRA account is provisioned with an X.509 certificate. The data recovery agent allows an administrative account to decrypt and read any EFS encrypted file in an organization. The DRA is used for Microsoft Encrypting File System ( EFS), Windows Information Protection ( WIP) and BitLocker. The DRA account allows an IT department to recover data that was encrypted by an employee in the event that the original recovery key or passphrase is lost or if the employee leaves the company. A data recovery agent (DRA) is a Microsoft Windows user account with the ability to decrypt data that was encrypted by other users.
0 kommentar(er)
