Cleaning up the Mess Left Behind by Multiple EFS Certificates
In case you have (un?)wittingly been juggling around with multiple EFS certificates like me, you may feel a strong urge to clean up the mess. Which mess? It can happen quite easily that different files are encrypted with different keys. In addition to that, directories that are marked for encryption have EFS certificates associated with them, and there is no UI to manipulate that. In order to straighten this out, once the proper certificate is in place each file and directory needs to be “touched” in order to update their encryption keys.
Command Line to the Rescue
Here are a few simple commands that help with the process of getting back to only one certificate per machine and user. They rely on the command line tool cipher.exe that has been part of the OS since the days of Windows 2000.
Show the fingerprint of the currently used certificate:
cipher /y
Show encryption information for all files and folders in the current directory:
cipher /c /h
Re-key all folders, i.e. replace the certificate to be used for files created in each folder with the current certificate. Log to the file rekey_log.txt in the current folder.
for /f "usebackq delims=" %i in (`dir /ad /b /s`) do @cipher /rekey "%i" 1>>rekey_log.txt 2>>&1
Access all encrypted files on all local drives in order to update each file’s certificate with the current certificate. Log to the file cipher_u_log.txt in the current folder.
cipher /u 1>>cipher_u_log.txt 2>>&1
3 Comments
This is very valuable information.
It would be even better if
(1) there were a cript that checks not only the current directory but the whole drive (or alternatively subdirectories) and
(2) the information could be printed or logged.
Two other observations questions:
(1) My certificate is listed in three places: Under Personal\Certificates, under Trusted People\Certificates and under Other People\Certificates? Is this normal or does it need to be cleaned up?
(2) Under Trusted People Certificates, there is a second certificate with my name on it that does not have a private key associated with it. Its status is “R”. What is this?
Answer: There is a wizard under user account
Windows7
Control Panel\All Control Panel Items\User Accounts
Left:Manage your files encryption
The wizard will let you:
Select which certificate to use
Export It
REencrypt all/select disk/folders with the new certificate
Command Line for wizard (rekeywiz) thanks to http://pcsupport.about.com/od/commandlinereference/a/run-commands-windows-7.htm
cf:http://www.windows7teacher.com/user-accounts-tutorials/63/how-to-manage-your-file-encryption-certificates-in-windows-7.html
cf:http://superuser.com/questions/957541/when-multiple-encrypting-file-system-certificates-are-installed-which-one-is-us/1105378#1105378