Personal Secure Drive Recovery

Infineon Security Platform

previous page next page

Infineon Security Platform Solution

Personal Secure Drive Recovery

With Personal Secure Drive Recovery you can recover your PSD data in case your PSD credentials are lost. Data recovery is enabled through use of recovery agents. A recovery agent is a user role for decryption of other user's data. If the user updates the system from a Home edition to a higher Operating System, for e.g. Windows XP Home to Windows XP Professional or Windows Vista Basic Home to Windows Vista Home Premium, the Home recovery agents get invalid and the user needs to configure PSD recovery again as described in the table "How to configure and perform PSD Recovery".

PSD Recovery Preconditions:
  • At least 1 PSD recovery agent is listed.
  • Your PSD image file is accessible.

Note that a lost PSD image file or some user data within an image file can only be restored from a PSD image backup file.

How to configure and perform PSD Recovery

PSD Recovery Tasks Windows editions not supporting EFS Windows editions supporting EFS
Overview
  • Dedicated PSD recovery agents are used. PSD user needs to register PSD recovery agent.
  • All tasks are performed via PSD Recovery command line tool.
  • EFS recovery agents are used.
  • Recovery agents are managed by an administrator via Microsoft Security Settings.
  • PSD Recovery is performed via PSD Recovery command line tool.
How to configure recovery agents:  
 Enable PSD Recovery
 		 1. Configure PSD

2. Create recovery certificate file and recovery PKCS #12 file.
You will be prompted to set a password to protect the PKCS #12 file.
Command line: PSDRecovery /R:filename

3. Register PSD recovery agent:
Command line: PSDRecovery /A:filename.CER [/ID:driveID]

Note: You can also do step 2 first, and then step 1.

1. Configure PSD

2. Configure EFS recovery agents via Microsoft Security Settings:
Command line: secpol.msc

3. Load your PSD to make the changes effective.

Notes:
You can also do step 2 first, and then step 1. In this case step 3 is not needed any more.
Windows 2000 EFS creates a recovery agent by default; Windows 7, Windows Vista and Windows XP Professional do not.
 View list of registered recovery agents

Display the list of recovery agents registered for your PSD.
Command line: PSDRecovery /V [/ID:driveID]

 View EFS recovery agents via Microsoft Security Settings:
Command line: secpol.msc
 Delete a registered recovery agent Delete one specified recovery agent registered for your PSD.
Command line: PSDRecovery /D:[name][number] [/ID:driveID]		 Delete EFS recovery agents via Microsoft Security Settings:
Command line: secpol.msc
How to recover your PSD:
  • Ensure that you have access to both the Recovery Agent’s digital certificate and the associated private key (i.e. you need to import the recovery PKCS #12 file).
  • Ensure that the Personal Secure Drive application is installed.
  • Ensure that the Personal Secure Drive encrypted data to be recovered is accessible to the Recovery Agent.
 Locate PSD image file

The encrypted data for a Personal Secure Drive is located within a single file (file extension *.FSF).
Note that *.FSF files are hidden system files and are normally only accessible to users with administrative rights.

The location of this file can be obtained via PSD Recovery command line tool: PSDRecovery /L

  Recover PSD data

Recover your PSD data to a new temporary drive.
You will have access to your PSD data, as long as the PSD Recovery tool is active. This way you can view your data and copy it to another location.
Command line: PSDRecovery /M:DriveImageFile.FSF [X:]

Syntax of PSD Recovery Command Line Tool

PSDRecovery.exe is a command line tool similar to the EFS cipher.exe.

Note that the syntax is not case sensitive.

PSDRecovery /A:filename.CER [/ID:driveID]
Supported only on Windows editions not supporting EFS.
Registers a recovery agent by adding the certificate of the specified *.CER file to the list of recovery agents to all your Personal Secure Drives.
filename.CER A filename with extension .CER
/ID:driveID Optional: Performs the specified action only for the Personal Secure Drive with the given driveID.
PSDRecovery /D:name [/ID:driveID]
PSDRecovery /D:number [/ID:driveID]
Supported only on Windows Home editions.
Deletes the specified recovery agent from the list of registered PSD recovery agents. Either the name or the sequential number (displayed by PSDRecovery /V) has to be specified.
name Recovery agent's name as displayed by PSDRecovery /V
number Recovery agent's sequential number as displayed by PSDRecovery /V
Without /ID parameter, this action is performed for all your Personal Secure Drives.
PSDRecovery /L
List ID, image file and image file path for all your Personal Secure Drives.
PSDRecovery /M:DriveImageFile.FSF [X:]
Recovers your PSD data to a new unencrypted temporary drive.
DriveImageFile.FSF Full path of the PSD image file as displayed by PSDRecovery /L
X Logical drive letter to be assigned for the new temporary drive which will contain the recovered data (optional). If no drive letter is given, the first available drive letter will be used.
PSDRecovery /R:filename
Supported only on Windows Home editions.
Generates a PSD recovery agent key and certificate, then writes them to a *.PFX file (containing certificate and private key) and a *.CER file (containing only the certificate).
filename A filename (optionally including the full path) without extension.
If the full path is specified, then the output files will be written to the specified directory. Else the output files will be written to the current directory.
PSDRecovery /V [/ID:driveID]
Supported only on Windows Home editions.
Displays the list of registered PSD recovery agents. For each recovery agent the following parameters are displayed: A sequential number, the recovery agent's name and a certificate hash value.
Without /ID parameter, this action is performed for all your Personal Secure Drives.


©Infineon Technologies AG

previous page start next page