On Windows 8, I turned on EFS and encrypted some files/folders. During this process, it created a self signed certificate and used that one for encryption. However, I have a specific certificate that I always use for my personal security/identification needs.
How can I tell Windows 8 "here, use THIS certificate instead to encrypt files"? The certificate I wish to use is provisioned for file encryption (among other security use cases).
From the help of the command line cipher.exe
tool:
/U
: Tries to touch all the encrypted files on local drives. This will update user's file encryption key or recovery keys to the current ones if they are changed. This option does not work with other options except /N.
/X
: Backup EFS certificate and keys into file filename. If efsfile is provided, the current user's certificate(s) used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up.
/REKEY
: Updates the specified encrypted file(s) to use the configured EFS current key.
(emphasis mine)
So there is a notion in Windows of a "current" key.
Finally, if there is a way to also switch over previously encrypted files to the new certificate (not just files encrypted 'from now on'), that'll be a better answer.
Thanks
Sid
Best Answer
First, decrypt everything. This way you don't have to worry about a mess of conflicting security certificates.
Second, log in as an administrator and perform these steps.
As long as the certificates intended purposes includes Encrypting File System, you'll be able to use it.
After the new certificate is installed and you've tested it, delete the old self-signed security certificate.
Third, encrypt whatever you need encrypted.