How do I let the SYSTEM account use EFS encryption?

I want to encrypt some files used by a Windows service running as Local System (i.e. using the NT AUTHORITY\SYSTEM account). Since BitLocker doesn't seem to work with software RAID, EFS seems to be the way to go. However, cipher /adduser doesn't like being used on SYSTEM:

cipher /adduser /user:SYSTEM filename.ext

Error finding user certificate in Active Directory Domain Services: The specified domain either does not exist or could not be contacted.

I'm using Windows 8.1.

I also have some already-encrypted files that I need to give SYSTEM access to. What can I do?


This works on every incarnation of Windows since 7 (and probably earlier), and the server versions too.

The SYSTEM account can indeed use EFS, but it doesn't have an EFS certificate by default. The only person who can enroll a certificate for SYSTEM is SYSTEM, so you'll need to get PsExec. From an admin command prompt with psexec.exe accessible, run psexec /s /i cmd.exe to produce a command prompt running as SYSTEM.

Before we start

Note that allowing SYSTEM access to an encrypted file means that anybody with physical access to the machine can decrypt that file. Usually, EFS certificates are protected by a user password, but SYSTEM's password has to be stored on the disk because nobody enters its password. Therefore, these procedures are only advisable if you're worried about the security of off-site backups, where the machine key is not accessible.

If you want only SYSTEM to have access to the files

Use the SYSTEM prompt to encrypt the files. This can be accomplished with the cipher utility that comes with Windows. cipher /e followed by the filename encrypts that file, making it only accessible to SYSTEM. To encrypt a directory, the command is cipher /e /s:, with the target directory name smashed right up against that colon.

If you want to give SYSTEM access to already-encrypted files

The first time a file is encrypted (for any account), an EFS certificate/key is issued. To create a scratch file, do echo. > scratch.txt in the SYSTEM prompt. Encrypt that file with cipher /e scratch.txt. You can torch that extra file if you want, the certificate is all ready. EFS certificates can be managed in the Certificates MMC snap-in; you'll need to open the snap-in for the computer (not the user), or just run certlm.msc. You'll find the certificates of interest under Trusted People.

Now, when you want to give SYSTEM access to an encrypted file/directory, open a command prompt as an owner of the file. Run cipher /adduser /certhash: with the target user's EFS thumbprint smushed against the colon without spaces. (Double-click an entry in the Certificates MMC window and switch to the Details tab to see the thumbprint.) The target filename is an additional parameter, and /s:<dir> still works if you're applying this to a folder.

Example commands

Encrypting a file: cipher /e filename.ext
Encrypting a folder: cipher /e /s:Important
Adding a user to a file: cipher /adduser /certhash:6cc1ce89aac7b6f794733e1b6b54a564a9bed9de filename.ext

Further reading: "How IT Works: Encrypting File System", cipher.exe reference at TechNet