How to Backup your EFS Private Key Certificate

A few days ago I explained how Windows XP, Windows 7 and Windows 8 users could easily encrypt files and folders using the built-in windows encryption files service called EFS.

Although everything is simple and automatic when using EFS, there is a chance you could lose access to your encrypted data if the EFS certificates become corrupted or you change your password using Admin tools vs. the standard password change tool. To protect yourself from this, today I’ll explain how to backup your EFS Private Key Certificates.

Note: Although the screenshots below are taken from my Windows 8 desktop, the process is exactly the same from a Windows 7 desktop.

How to Backup your EFS Private Key Certificate
Open Internet Explorer and Click the Tools icon (ALT+X) on the Internet Explorer toolbar and click Internet Options.
IE Internet Options

Click the Content tab.

IE9: Internet Options Content Tab

Click the Certificates.

IE9: Internet Options Content Tab, Certificates

Click the EFS Certificate you want to backup / export and click Export.

IE9 - Export EFS Certificate

The Certificate Export Wizard will open. Click Next.

Windows Certificate Export

Select the Radio Button to export your private key and click Next.

Windows Certificate Export - Private Key Yes

Leave the next screen with defaults. Click Next.

Windows Certificate Export - Accept Defaults

Type a Secure password or passphrase you won’t forget… and click Next.

Note: This password will be needed to later import the EFS Private key. This password is not recoverable so don’t lose it.

Export EFS Cert - Assign a Password to EFS Private Key

Type a name for the Certificate and Click Next.

Note: When I backup my EFS private keys, I name the Cert based on the machine and store the certificate in my Dropbox folder to back it up in the event of a hard drive crash. You can never be to safe with encryption keys…

File Name of EFS Private Key

Click Finish to complete the backup.

Click Finish to save EFS Private Key

As I’ve said dozens of times, security is all about layers. The more layers you implement, the more secure your environment will be. With this in mind, encryption is just 1 layer you should implement on your PC. For a more complete guide on good computer security, be sure to read my 10 Step Security Guide.

1 Comment

1 Comment

  1. Maryfrances Porter

    August 12, 2015 at 7:19 pm

    I just encrypted a folder (I think) using Windows 10 Pro. When I was doing the encryption (through Properties for the folder), I got a little balloon in the bottom right corner of my screen asking me to back up the certificate. I started to, but then figured I should wait until all the files in the folder had been processed (clearly, I’m not sure how the certificate works). Anyway, I canceled the process.

    Once all the files in the encrypted folder had been processed, I figured out how to get back into Explorer (through Edge) and went to Internet Options/Content/Certificates. There wasn’t one that expired several years later than today, so I went ahead and backed up the one that was dated most like today. However, as you can imagine, I’m suspicious that I have not really backed up the right certificate, and now I’m a little concerned. I have three certificates in there – two are clearly labeled as for the University I work with. The third is named my university computing ID. So, I think all of them are University certificates and not the one I thought I created.

    I’m afraid to try to encrypt the folder again – and afraid that if I ever need to reboot my machine, I’m stuck!

    Any thoughts or wisdom?

    Thank you!

Leave a Reply

Your email address will not be published. Required fields are marked *


To Top