Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption
search cancel

Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption


Article ID: 171224


Updated On:


Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


A Recovery certificate is needed to recover files encrypted with Symantec Endpoint Encryption (SEE) on removable media.

For further information about incorporating the recovery certificate in policy, please see the Endpoint Encryption Management Server Overview.

A Recovery certificate is a regular "User" certificate that can be used to recovery files with RME.  This article will discuss these steps. 


Symantec Endpoint Encryption 11.3 and above.


The first step to be able to generate Recovery Certificate for RME is to ensure you have the "User" Template to be able to request this certificate.

You can do this by opening your Certificate Authority for your local domain and reviewing what is available:

If you have the "User" template in the Certificate Templates, you are good to go:

If you do not have this, you will need to add this as a template that could then be used.  To do this, right-click the templates and select "Manage":

You will then add the User template, which will give you the option to request these certificates.  

Once you have done this, you can open your "certmgr.msc" and request a new certificate:


Once you have finished the process, you will see the new certificate:


Now you should have a key to use for recovery.


Open the certificate store by searching for Manage computer certificates or running mmc and adding the Certificates snap-in for the Computer.

Right click on the private certificate and choose to export the public certificate in Cryptographic Message Syntax Standard PKCS#7 format and choose to include all certificates in the certificate path. A *.p7b file will be created containing the public certificate and all certificates in the certificate chain:

When adding the Recovery certificate to an Endpoint Encryption policy, it is the *.p7b file that is required:

The private certificate can either be installed on Endpoint Encryption Management Server or on a separate Windows machine. It is required in case an end user forgets the password that they used to encrypt files on removable media. 

If an end user needs files to be decrypted they do not have to supply the administrator with the removable media. Instead they can right click on the encrypted file and under the Symantec Encryption context menu there are options to attach the file to an email message or copy the encrypted files: 

If the user chooses to copy the encrypted file they can, for example, navigate to a shared network folder and paste it there for the administrator to decrypt:

Endpoint Encryption can use almost any certificate as the recovery certificate. A certificate issued by the organization's internal Certificate Authority would be a good choice; However, a certificate issued by a public Certificate Authority can also be used.

Symantec Enterprise Division does not recommend using Self-Signed Certificates as these certificates are not considered valid certs by nature and make it difficult to manage. Self-Signed certs can never be renewed, and have other limitations, so using an Internal Certificate Authority is recommended or using a cert from a Trusted Certificate Authority.


The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process.
To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which are all valid for a Recovery certificate. The Basic EFS template is recommended. It contains the following Key Usage attributes:
Basic EFS Template Attributes
Key Usage: Key Encipherment
Enhanced Key Usage: Encrypting File System
For key size, please use 2048 as a minimum.
When decrypting a file using the Recovery certificate, Endpoint Encryption will not prompt for any information providing it can locate the private recovery certificate in the local certificate store. Note that the Removable Media Access Utility can be used to decrypt files using the recovery certificate.

To use the Recovery Certificate to decrypt files.

All you need is to have the Recovery Certificate (i.e. the one with the private key) in the currently logged on user's personal certificate store.  In this case, it should be your admin user.  The SEE-RME Client automatically looks for certs when opening encrypted files, and should just find it.  This is just like how the Removable Access Utility behaves, and also how the SEE-RME client behaves when user certs are available.

In summary, the Admin would:

1. Receive encrypted file, and put it onto a USB stick via a machine that does not have SEE-RME
2. Install the Recovery cert to machine with SEE-RME installed (i.e. Recovery Machine)
3. Plug USB into machine with SEE-RME installed
4. Open/Recover file, and save decrypted copy
5. Remove Recovery Cert from Recovery Machine

Remember, it is best practice to securely store, and audit access to, the Recovery Certificate.

Additional Information

For more information about SEE Removable Media Encryption, see the following article:


222689 - Symantec Endpoint Encryption Removable Media Encryption FAQs - General Information