9

On Windows 8, I turned on EFS and encrypted some files/folders. During this process, it created a self signed certificate and used that one for encryption. However, I have a specific certificate that I always use for my personal security/identification needs.

How can I tell Windows 8 "here, use THIS certificate instead to encrypt files"? The certificate I wish to use is provisioned for file encryption (among other security use cases).

From the help of the command line cipher.exe tool:

  • /U: Tries to touch all the encrypted files on local drives. This will update user's file encryption key or recovery keys to the current ones if they are changed. This option does not work with other options except /N.

  • /X: Backup EFS certificate and keys into file filename. If efsfile is provided, the current user's certificate(s) used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up.

  • /REKEY: Updates the specified encrypted file(s) to use the configured EFS current key.

(emphasis mine)

So there is a notion in Windows of a "current" key.

Finally, if there is a way to also switch over previously encrypted files to the new certificate (not just files encrypted 'from now on'), that'll be a better answer.

Thanks Sid

Ian Boyd
  • 23,066
DeepSpace101
  • 8,957

3 Answers3

4

Go to Control Panel -> User Accounts -> User Accounts.

In the left menu, select:

Manage your file encryption certificates

This launches a little wizard:

enter image description here

that lets you view your currently installed certificates, and select which one is your current one:

enter image description here

In my case, after my Windows 10 reinstall i want to use use my existing, backed up, EFS key from 5 years ago:

enter image description here

And the wizard even presents a UI to have it re-encrypt files that were encrypted with the old key:

enter image description here

Ian Boyd
  • 23,066
3

First, decrypt everything. This way you don't have to worry about a mess of conflicting security certificates.

Second, log in as an administrator and perform these steps.

Open Certificate Manager by clicking the Start button , typing certmgr.msc into the Search box, and then pressing ENTER.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Click a folder, click the Action menu, point to All Tasks, and then click Import.

Click Next, and then follow the instructions.

Note

If you click Browse to search for a certificate when using the Certificate Import Wizard, be aware that the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate, select the certificate type you want to import in the Open dialog box.

As long as the certificates intended purposes includes Encrypting File System, you'll be able to use it.

After the new certificate is installed and you've tested it, delete the old self-signed security certificate.

Third, encrypt whatever you need encrypted.

Everett
  • 6,113
  • 1
  • 24
  • 34
0

Just run into this because I always forget the tool's name. So for the rest to have it handy too, the windows built-in tool to select the currently effective certificate (actually it is the Private Key associated with it that matters) is:

rekeywiz.exe

You can directly access it from the command line prompt or the "run" panel of windows.

The screens are those already shown by Ian.

Toto
  • 19,304
gkakas
  • 139