Removable Media Encryption - Create a Recovery Certificate


Article ID: 171224


Updated On:


Endpoint Encryption


A recovery certificate is needed to recover files encrypted with Symantec Endpoint Encryption (SEE) on removable media.


Using the Recovery Certificate with Symantec Removable Media Encryption (RME) requires the creation of two certificates as follows:

  1. Client Certificate to be embedded in RME Client MSIs - type PKCS#7/.p7b which contains the public key.
  2. Master Recovery Certificate to be placed in the cert store of a designated machine(s) to perform the recovery - which will be type PKCS#12/.PFX and contain the private key. Regardless if files were encrypted with a password, encryption cert and/or a group key - as long as the public key portion of the recovery cert is embedded in the client MSIs you can still decrypt the files.

The best way to create these certs is to create an initial root cert, install it in a local cert store and then export it twice so you have a client cert type PKCS #7 and then a server side cert type PKCS #12. The server side cert can be installed on any desired machine to perform the recovery feature and the client side will be need to be embedded during the RME MSI creation process.
To create the root cert using Microsoft's Certificate Services you can pick one of the default templates such as User, Basic EFS or Administrator which will all work fine for a Recovery Cert. We recommend using the Basic EFS template as it is a leaner template containing the following Key Usage attributes, listed below:
Basic EFS Template Attributes
Key Usage: Key Encipherment
Enhanced Key Usage: Encrypting File System
For key size, we also recommend using at least 2048.
Also, unlike our previous release of SEE Removable Storage, SEE 11 RME does display a pop up window when the Recovery Cert decrypts files but unlike the normal decryption process it does not ask for the decryption password – it just decrypts the file after verifying the private key of the recovery cert is present in the local cert store.
As well, the machine containing the private key for recovery does not need to have RME installed – the Recovery Cert can also be used via the Removable Media Access Utility to decrypt files.