Cleaning up the Mess Left Behind by Multiple EFS Certificates

Tips and Tools
Published May 13, 2009 Updated Oct 27, 2010

In case you have (un?)wittingly been juggling around with multiple EFS certificates like me, you may feel a strong urge to clean up the mess. Which mess? It can happen quite easily that different files are encrypted with different keys. In addition to that, directories that are marked for encryption have EFS certificates associated with them, and there is no UI to manipulate that. In order to straighten this out, once the proper certificate is in place each file and directory needs to be “touched” in order to update their encryption keys.

Command Line to the Rescue

Here are a few simple commands that help with the process of getting back to only one certificate per machine and user. They rely on the command line tool cipher.exe that has been part of the OS since the days of Windows 2000.

Show the fingerprint of the currently used certificate:

cipher /y

Show encryption information for all files and folders in the current directory:

cipher /c /h

Re-key all folders, i.e. replace the certificate to be used for files created in each folder with the current certificate. Log to the file rekey_log.txt in the current folder.

for /f "usebackq delims=" %i in (`dir /ad /b /s`) do @cipher /rekey "%i" 1>>rekey_log.txt 2>>&1

Access all encrypted files on all local drives in order to update each file’s certificate with the current certificate. Log to the file cipher_u_log.txt in the current folder.

cipher /u 1>>cipher_u_log.txt 2>>&1

Certificate Cipher.exe EFS Encryption Security

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users

This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.

End-to-End-Encrypted Team Communication & Collaboration Tools

End-to-End-Encrypted Team Communication & Collaboration Tools

This post is a collection of my notes about my search for secure collaboration and communication tools for smaller organizations, specifically vast limits. I will update it from time to time.

Automatic HTTPS Certificates for Services on Internal Home Network

Automatic HTTPS Certificates for Services on Internal Home Network

This article explains how to set up automatic HTTPS certificates via Let’s Encrypt for services on your internal home network without opening a port on your firewall. It’s part of my series on home automation, networking & self-hosting that shows how to install, configure, and run a home server with (dockerized or virtualized) services such as Home Assistant and ownCloud.

Home Automation, Networking & Self-Hosting

New Articles, Tools, Tips and Tricks: Windows (7 and 2008 R2), PowerShell and Citrix

New Articles, Tools, Tips and Tricks: Windows (7 and 2008 R2), PowerShell and Citrix

Windows General Good info for troubleshooting DFS-Namespaces in the MS KB: Storage locations, inconsistencies and how to deal with them. Complex passwords and security guidelines for end users? No, thank you, says MS researcher. I agree.

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.