Creating a Recovery certificate for Endpoint Encryption Removable Media Encryption


Article ID: 171224


Updated On:


Endpoint Encryption


A recovery certificate is needed to recover files encrypted with Symantec Endpoint Encryption (SEE) on removable media. For further information about incorporating the recovery certificate in policy, please see the Endpoint Encryption Management Server Overview.


Symantec Endpoint Encryption 11.3 and above.


Create a suitable private certificate and import it into the Computer certificates store.

Open the certificate store by searching for Manage computer certificates or running mmc and adding the Certificates snap-in for the Computer.

Right click on the private certificate and choose to export the public certificate in Cryptographic Message Syntax Standard PKCS#7 format and choose to include all certificates in the certificate path. A *.p7b file will be created containing the public certificate and all certificates in the certificate chain:

When adding the Recovery certificate to an Endpoint Encryption policy, it is the *.p7b file that is required:

The private certificate can either be installed on Endpoint Encryption Management Server or on a separate Windows machine. It is required in case an end user forgets the password that they used to encrypt files on removable media. 

If an end user needs files to be decrypted they do not have to supply the administrator with the removable media. Instead they can right click on the encrypted file and under the Symantec Encryption context menu there are options to attach the file to an email message or copy the encrypted files: 

If the user chooses to copy the encrypted file they can, for example, navigate to a shared network folder and paste it there for the administrator to decrypt:

Endpoint Encryption can use almost any certificate as the recovery certificate. A certificate issued by the organization's internal Certificate Authority would be a good choice. However, a self-signed certificate or a certificate issued by a public Certificate Authority can also be used.

The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process.
To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which are all valid for a Recovery certificate. The Basic EFS template is recommended. It contains the following Key Usage attributes:
Basic EFS Template Attributes
Key Usage: Key Encipherment
Enhanced Key Usage: Encrypting File System
For key size, please use 2048 as a minimum.
When decrypting a file using the Recovery certificate, Endpoint Encryption will not prompt for any information providing it can locate the private recovery certificate in the local certificate store. Note that the Removable Media Access Utility can be used to decrypt files using the recovery certificate.