A few days ago I explained how Windows XP, Windows 7 and Windows 8 users could easily encrypt files and folders using the built-in windows encryption files service called EFS.
Although everything is simple and automatic when using EFS, there is a chance you could lose access to your encrypted data if the EFS certificates become corrupted or you change your password using Admin tools vs. the standard password change tool. To protect yourself from this, today I’ll explain how to backup your EFS Private Key Certificates.
Note: Although the screenshots below are taken from my Windows 8 desktop, the process is exactly the same from a Windows 7 desktop.
How to Backup your EFS Private Key Certificate
Open Internet Explorer and Click the Tools icon (ALT+X) on the Internet Explorer toolbar and click Internet Options.
Click the Content tab.
Click the Certificates.
Click the EFS Certificate you want to backup / export and click Export.
The Certificate Export Wizard will open. Click Next.
Select the Radio Button to export your private key and click Next.
Leave the next screen with defaults. Click Next.
Type a Secure password or passphrase you won’t forget… and click Next.
Note: This password will be needed to later import the EFS Private key. This password is not recoverable so don’t lose it.
Type a name for the Certificate and Click Next.
Note: When I backup my EFS private keys, I name the Cert based on the machine and store the certificate in my Dropbox folder to back it up in the event of a hard drive crash. You can never be to safe with encryption keys…
Click Finish to complete the backup.
As I’ve said dozens of times, security is all about layers. The more layers you implement, the more secure your environment will be. With this in mind, encryption is just 1 layer you should implement on your PC. For a more complete guide on good computer security, be sure to read my 10 Step Security Guide.
1 Comment
Leave a Reply
Leave a Reply
Maryfrances Porter
August 12, 2015 at 7:19 pm
I just encrypted a folder (I think) using Windows 10 Pro. When I was doing the encryption (through Properties for the folder), I got a little balloon in the bottom right corner of my screen asking me to back up the certificate. I started to, but then figured I should wait until all the files in the folder had been processed (clearly, I’m not sure how the certificate works). Anyway, I canceled the process.
Once all the files in the encrypted folder had been processed, I figured out how to get back into Explorer (through Edge) and went to Internet Options/Content/Certificates. There wasn’t one that expired several years later than today, so I went ahead and backed up the one that was dated most like today. However, as you can imagine, I’m suspicious that I have not really backed up the right certificate, and now I’m a little concerned. I have three certificates in there – two are clearly labeled as for the University I work with. The third is named my university computing ID. So, I think all of them are University certificates and not the one I thought I created.
I’m afraid to try to encrypt the folder again – and afraid that if I ever need to reboot my machine, I’m stuck!
Any thoughts or wisdom?
Thank you!