When multiple Encrypting File System certificates are installed, which one is used for encryption? (2024)

7

Answering to myself:

Use this command to list all encrypted files on the system:

cipher /u /n

Use this command to display certificate info for the specified file.

cipher /c <file>

By default Windows uses the EFS certificate that expires latest for encrypting files and folders. The easiest way to manage EFS certificates in Windows is to use the Manage File Encryption Certificates wizard (rekeywiz) to renew and backup certificates.

Add a comment |

4

To find:

1. which certificate was actually used on a particular file:you right click on the file to see the propertiesSelect Advanced Select Details next to the Encrypt check box

A popup appears which tell you which certificate and thumbprint was used to encrypt that particular file The thumbprint match the certificate thumbprint inside the certificate manager.

2. which Certificate is going to be used (the default encryption certificate)

Answer: There is a wizard under user accountWindows7Control Panel\All Control Panel Items\User AccountsLeft:Manage your files encryption

The wizard will let you:Select which certificate to use for ALL new encryptionExport ItREencrypt all/select disk/folders with the new certificate

Command Line for wizard (rekeywiz) thanks to http://pcsupport.about.com/od/commandlinereference/a/run-commands-windows-7.htm

cf:http://www.windows7teacher.com/user-accounts-tutorials/63/how-to-manage-your-file-encryption-certificates-in-windows-7.html

If there is more than one EFS certificate, you should back up all of them.

a) Only the current one is used for future encryption

b) But, When multiple certificate are present, you dont know which one were used in the past. So you potentially need all of them to decrypt any file. Thats why microsoft recommends to save all of them. Otherwise you can re-encypt all your files using the wizard mentionned above (which basically replace the old certificate by the current one)

• Gave both answer

  –sysarchitek

  Sep 28, 2016 at 13:05

Add a comment |

2

Only one certificate is used by default, the one with the public key registered to that user. (Verified experimentally.)

If you don't want to use a command-line utility to figure out which certificate will be used, you can use the Certificates Manager snap-in for MMC. Open the Local Machine scope (or run certlm.msc) - no administrator privileges necessary, but you will be asked to elevate if you are an admin. Navigate with the left pane to Trusted People → Certificates. You'll see a list of users on the machine who have EFS certificates. Double-clicking an entry produces the properties dialog of the user's EFS certificate.

If you had instead opened the Current User scope (certmgr.msc) and navigated to the same folder, the one used for your EFS files would be the only one with your name that does not have a key on the icon.

• It's a bit counterintuitive that the one used for EFS is the one without a key on the icon. What's the reason for that? And by the way within the Current User scope I have other certificates (with the key on the icon) which were used to encrypt data in the past, I'm no longer able to decrypt, when trying to export these certificate it says "the associated private key cannot be found", any ideas?

  –kuma

  Apr 4, 2022 at 10:25

Add a comment |