Re: Which EFS certificate used?

Thanks again, Martin!

Marvin

"Martin Rublik" <martin.rublik@xxxxxxxxxx> wrote in message news:OL1UgsMXIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
The certificate for encryption is chosen (or generated) at the time the user encrypts data for the first time.

Afterwards (if it is time valid) you can change it only by modifying the registry. If you want to change the certificate just set the hash in the registry to desired one (from your's certificate store).

More info on the format of the hash and the key can be found in this discussion http://tinyurl.com/2u8au3

As for the choice of the user there is only the registry editor or EFS Certificate Configuration Updater http://www.codeplex.com/EFSCertUpdater (I have never tried it by myself). I hope this helps. Feel free to ask if you have more questions, and feel free to correct any of mine statements if they're wrong :).

Regards

Martin

Marv Sun wrote:
Thanks Martin.

In the registry HKCU\....\EFS\Currentkeys, it did show the Certificate's thumbprint that EFS used to encrypt my files. The thumbprint in this case is my "Administrator" certificate that has multiple EKUs, including EFS, SMIME etc.

But my question is why this particular certificate is selected by OS to do EFS? In my user certificate store, I have two more certificates that both contains EKU for EFS, why they are not used? Does user have a choice to select which certificate to do EFS?

Thanks again for sharing.

Marvin

"Martin Rublik" <martin.rublik@xxxxxxxxxx> wrote in message news:OclL7AAXIHA.5980@xxxxxxxxxxxxxxxxxxxxxxx
Take a look at this article: http://technet2.microsoft.com/windowsserver/en/library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx?mfr=true You are looking for registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys that contains certificate hash that is used for encryption.

Hope this helps

Martin



Marv Sun wrote:
Folks,

If my workstation (running XP) has multiple certificates that are qualified for EFS encryption, which one will be selected when a file is enabled for EFS? It seems there are no choices for user to select manually.

Thanks in advance for your kind feedback.

Marvin

.

Relevant Pages

  • RE: Relative Security Provided by Cached Domain Credentials?
    ... certificates assigned to them, with each certificate having a set number ... smart card management tools which provide private key archival for smart ... AND the cert is also valid for EFS, they likely would be able to do ... What you probably could get to work for local file encryption, ...
    (Focus-Microsoft)
  • Re: What am I doing wrong?
    ... > after I make the EFS work. ... Then I've exported my encryption certificate to a file on a diskette. ... > certificate into a file on a floppy, and I did select the "Yes, export ...
    (microsoft.public.windowsxp.security_admin)
  • Re: About EFS and local certificate that I want to export
    ... You need to get your head around how EFS works. ... EFS is local file encryption. ... the file is transferred to/from the server in the clear. ... you added the incorrect EFS certificate in step 4. ...
    (microsoft.public.windows.server.security)
  • Re: EFS woes
    ... I changed my domain password which broke EFS 1. ... not the same thumbprint as on my exported certificate. ... inheriting the encryption status. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Recover Agents Unable to decrypt files
    ... Permissions were checked to make sure that the EFS RA had full ... The EFS RA imported it's EFS RA certificate from storage in a secure ... I tried to decrypt the file after only importing the ... a special recovery key is created with the encryption process. ...
    (microsoft.public.win2000.file_system)