EFS for Remote Blob Storage (RBS)

In continuation to my blog on Enabling Remote Blob Storage (RBS) in SharePoint 2010 Today I’m going to write on how we can encrypt Blob Storage using encryption
Since Blob Stores does not support SQL provided Encryption hence only method remains is using NTFS based Encryption EFS or bit locker today I would be covering how to protect your blob store files using EFS.
Configuring EFS
Two types of certificates play a role in EFS:
  • Encrypting File System certificates. This type of certificate allows the holder to use EFS to encrypt and decrypt data, and is often called simply an EFS certificate. Ordinary EFS users get this type of certificate. The Enhanced Key Usage field for this type of certificate (visible in the Certificates Microsoft Management Console snap-in) has the value Encrypting File System (
  • File Recovery certificates. This type of certificate allows the holder to recover encrypted files and folders throughout a domain or other scope, no matter who encrypted them. Only domain admins or very trusted designated persons called data recovery agents should get this. The Enhanced Key Usage field for this type of certificate (visible in the Certificates Microsoft Management Console snap-in) has the value File Recovery ( These are often called EFS DRA certificates.

Step1: Configuring Domain Group Policy(normally this would be configured by default by your Network Administrator)
Domain Policy: This setting allows all domain users to create their own EFS certificate:
Step2: Create a file recovery certificate (this certificate needs to be created for the Service Account executing SQL Server Services)
You can do this by executing the following steps:
Start menu > Run > Cmd
(this can be accessed also through Start ->All Programs -> Accessories -> Command Prompt)
Type cipher /r:recovery_certificate and hit Enter
Type a strong password. This will be your password to your data; it is advised to use at least 10 characters, a combination of lower and upper case, numbers and special characters.
The certificate is stored in a file called recovery_certificate.CER located in the directory shown at the command prompt.
Note: It is a good idea to move this file to an encrypted USB disk and store the media in a safe. This file will be your key to your data.
Step3: Install file recovery certificate (Data Recovery Agent) :
1. Start menu > Run
2. Type gpedit.msc and hit Enter to run the Group Policy editor
3. Navigate to the :
-> Local Computer Policy
-> Computer Configuration
-> Windows Settings
-> Security Settings
->Public Key Policies
-> Right click Encrypting File System and select Add Data Recovery Agent
4. Follow the wizard and when it asks you for a file with the certificate, browse to the folder containing the recovery_certificate.CER file which you created earlier and select that file.
Step4: Delete old certificate
The Encrypting File System screen in the Group Policy editor should list only one Data Recovery Agent (certificate). If you see more than one Data Recovery Agent there, then export them first and delete all but the one with the farthest expiration date.
Open the certificates Microsoft Management Console snap-in (type mmc in the Start -> Run screen and hit Enter, then go to File -> Add/Remove Snap In and select Certificates from the Available Snap-ins menu, then hit Add and select My user account). Navigate to the following location:
-> Console Root
-> Certificates – current user
-> Personal
-> Certificates
and make sure the right pane shows no File Recovery certificates. If it does show any, then export and delete them.
Step 5: Copy/Install EFS certificate ( to the User’s Certificate folder
1. Start menu > Run
2. Type certmgr.msc and hit Enter to open the Certificate editor
3. Navigate to the :
-> Certificates – Current User
-> Personal
-> Certificates
-> Check the certificate with the Intended Purpose as Encrypting File System or Enhanced Key Usage is as Encrypting File System ( in the certificate properties.
-> If EFS certificate does not exist: copy and paste the Certificate from other folders in the certificate snap-in. For ex: Other People > Certificate, or from, Trusted People > Certificate. You may also create such certificate from the CA root.
1. All the steps described on this page need to be executed under the default Administrator account.
2. The Recovery policy configured for this system contains invalid recovery certificate message is known to appear when trying to encrypt a file or a folder using the Windows Encrypting File System. The File Recovery certificate being outdated or expired is the most frequent cause of this invalid recovery certificate message. The message is shown in the following print screen:
To encrypt all files under a folder use following steps
1. Browse to the folder structure.
2. Right click on the folder and open properties
3. Click on advanced button
4. Select Encrypt contents to secure data check box and click Ok button
5. Click on apply button on properties window
6. Select apply changes to this folder , subfolders and files


Popular Posts