9.2k times

We have about 50 workstations we use EFS on to encrypt a SQL 2005 database. I am in the process of building a new one and when I got to the point of encrypting the database I get this error:

Recovery policy configured for this system contains invalid recovery certificate

Fine and dandy, I enlist the help of Google and the first hit leads me to Microsoft ... x?mfr=true

The thing is, the certificate for the EFS account is not expired. I have tried renewing the key, I have tried getting a new one and nothing is working. According to Google I am not alone. Certificates is not my strong suit. I do have a CA and it is issuing keys. I don't know where to go from here and I need to get this working ASAP.

Thanks in advance.

add a comment

3 Answers

  • Votes
  • Oldest
  • Latest

I looked at that. The key to that one is this:

When a client computer uses the Encrypting File System (EFS) to encrypt a file that is stored on a remote computer in a Microsoft Windows Server 2003 domain, you may receive an error message on the computer that resembles the following:

The client is encrypting a local file. I can give it a shot just to rule it out.

add a comment

I finally solved this mystery.

Here is what I did. I opened up the Default Domain Group Policy and went to:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

What do you know? The recovery agent key was expired so I made a new one and deleted the old one and now EFS is working.

add a comment