Re: EFS certificate requirements

From: Martin Rublik <martin.rublik@xxxxxxxxxxx>
Date: Wed, 19 Apr 2006 16:17:05 +0200

Change the hash in registry
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\EFS\CurrentKeys\CertificateHash
to the hash of the certificate you want to use.

I think (but I'm not sure) that if multiple certificates with EKU EFS exists and the registry key is not set up the first one enumerated is used.

As for the requirements, it is not possible to use strong private key protection and the certificates cannot be stored on smart cards or usb tokens.

Regards

Martin

Mitch Gallant wrote:

Some questions on EFS:

(1) Is it possible to force use of a specific EFS CU certificate?
I know cipher /k creates a new EFS cert/keypair for the current user and uses that one from that point onwards,
but I want to create one with specific characteristics (for testing).

(2) I think that EFS will only recognize/use client certs that have the EKU:
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Are there any other requirements for the EFS certs (not the recovery one .. )

- Mitch

Follow-Ups:
- Re: EFS certificate requirements
  - From: Mitch Gallant

References:
- EFS certificate requirements
  - From: Mitch Gallant

Prev by Date: EFS certificate requirements
Next by Date: Re: LogonUser fails with error code 0
Previous by thread: EFS certificate requirements
Next by thread: Re: EFS certificate requirements
Index(es):
- Date
- Thread

Relevant Pages

Re: Which EFS certificate used?
... If you want to change the certificate just set the hash in the registry to desired one. ... As for the choice of the user there is only the registry editor or EFS Certificate Configuration Updater http://www.codeplex.com/EFSCertUpdater. ... If my workstation has multiple certificates that are qualified for EFS encryption, which one will be selected when a file is enabled for EFS? ...
(microsoft.public.windows.server.security)
Re: Which EFS certificate used?
... The certificate for encryption is chosen at the time the user encrypts data for the first time. ... If you want to change the certificate just set the hash in the registry to desired one. ... As for the choice of the user there is only the registry editor or EFS Certificate Configuration Updater http://www.codeplex.com/EFSCertUpdater. ...
(microsoft.public.windows.server.security)
RE: Relative Security Provided by Cached Domain Credentials?
... So when a user logs on the w2k terminal using a smartcard + pin no (rather ... If it does then EFS ... profile currently logged on for the private certificate. ...
(Focus-Microsoft)
RE: Relative Security Provided by Cached Domain Credentials?
... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
(Focus-Microsoft)
Re: EFS Disabling
... >> I had to reinstall XP on a computer and so I copied my EFS ... They have the same account names ... > You must have exported your EFS security certificate (onto a floppy ... > claiming that if you included your profile in your backups that there ...
(microsoft.public.security)