When multiple Encrypting File System certificates are installed, which one is used for encryption?
To encrypt a file or folder in Windows, you basically go to its Properties and check Encrypt contents to secure data. Windows will use the certificate for Encrypting File System (EFS) that is installed in the Certificates Manager (certmgr.msc
) that usually goes under Personal → Certificates. So when there is only one EFS certificate available, you know which one is used to encrypt files.
In my case, I have several EFS certificates installed. I don't know which one is the original one and which ones were installed later, and more importantly, I don't know which one is actually used to encrypt a file when I check that box.
Is there any way to know exactly which certificate is used for encryption?
In Microsoft's instructions for Backing up Encrypting File System (EFS) certificate it says "If there is more than one EFS certificate, you should back up all of them." Does that mean all installed certificates will be used for encrypting files and therefore all of them will be needed for decrypting?
Solution 1:
Answering to myself:
Use this command to list all encrypted files on the system:
cipher /u /n
Use this command to display certificate info for the specified file.
cipher /c <file>
By default Windows uses the EFS certificate that expires latest for encrypting files and folders. The easiest way to manage EFS certificates in Windows is to use the Manage File Encryption Certificates wizard (rekeywiz) to renew and backup certificates.
Solution 2:
To find:
- which certificate was actually used on a particular file: you right click on the file to see the properties Select Advanced Select Details next to the Encrypt check box
A popup appears which tell you which certificate and thumbprint was used to encrypt that particular file The thumbprint match the certificate thumbprint inside the certificate manager.
- which Certificate is going to be used (the default encryption certificate)
Answer: There is a wizard under user account Windows7 Control Panel\All Control Panel Items\User Accounts Left:Manage your files encryption
The wizard will let you: Select which certificate to use for ALL new encryption Export It REencrypt all/select disk/folders with the new certificate
Command Line for wizard (rekeywiz) thanks to http://pcsupport.about.com/od/commandlinereference/a/run-commands-windows-7.htm
cf:http://www.windows7teacher.com/user-accounts-tutorials/63/how-to-manage-your-file-encryption-certificates-in-windows-7.html
If there is more than one EFS certificate, you should back up all of them.
a) Only the current one is used for future encryption
b) But, When multiple certificate are present, you dont know which one were used in the past. So you potentially need all of them to decrypt any file. Thats why microsoft recommends to save all of them. Otherwise you can re-encypt all your files using the wizard mentionned above (which basically replace the old certificate by the current one)