Cleaning up the Mess Left Behind by Multiple EFS Certificates

In case you have (un?)wittingly been juggling around with multiple EFS certificates like me, you may feel a strong urge to clean up the mess. Which mess? It can happen quite easily that different files are encrypted with different keys. In addition to that, directories that are marked for encryption have EFS certificates associated with them, and there is no UI to manipulate that. In order to straighten this out, once the proper certificate is in place each file and directory needs to be “touched” in order to update their encryption keys.

Command Line to the Rescue

Here are a few simple commands that help with the process of getting back to only one certificate per machine and user. They rely on the command line tool cipher.exe that has been part of the OS since the days of Windows 2000.

Show the fingerprint of the currently used certificate:

cipher /y

Show encryption information for all files and folders in the current directory:

cipher /c /h

Re-key all folders, i.e. replace the certificate to be used for files created in each folder with the current certificate. Log to the file rekey_log.txt in the current folder.

for /f "usebackq delims=" %i in (`dir /ad /b /s`) do @cipher /rekey "%i" 1>>rekey_log.txt 2>>&1

Access all encrypted files on all local drives in order to update each file’s certificate with the current certificate. Log to the file cipher_u_log.txt in the current folder.

cipher /u 1>>cipher_u_log.txt 2>>&1

, , , ,

3 Responses to Cleaning up the Mess Left Behind by Multiple EFS Certificates

  1. Moi Meme November 13, 2009 at 07:08 #

    This is very valuable information.

    It would be even better if

    (1) there were a cript that checks not only the current directory but the whole drive (or alternatively subdirectories) and

    (2) the information could be printed or logged.

  2. Moi Meme November 13, 2009 at 07:50 #

    Two other observations questions:

    (1) My certificate is listed in three places: Under Personal\Certificates, under Trusted People\Certificates and under Other People\Certificates? Is this normal or does it need to be cleaned up?

    (2) Under Trusted People Certificates, there is a second certificate with my name on it that does not have a private key associated with it. Its status is “R”. What is this?

  3. Francois TURI July 26, 2016 at 19:17 #

    Answer: There is a wizard under user account
    Windows7
    Control Panel\All Control Panel Items\User Accounts
    Left:Manage your files encryption

    The wizard will let you:
    Select which certificate to use
    Export It
    REencrypt all/select disk/folders with the new certificate

    Command Line for wizard (rekeywiz) thanks to http://pcsupport.about.com/od/commandlinereference/a/run-commands-windows-7.htm

    cf:http://www.windows7teacher.com/user-accounts-tutorials/63/how-to-manage-your-file-encryption-certificates-in-windows-7.html
    cf:http://superuser.com/questions/957541/when-multiple-encrypting-file-system-certificates-are-installed-which-one-is-us/1105378#1105378

Leave a Reply