Cleaning up the Mess Left Behind by Multiple EFS Certificates
|
by Helge Klein on 05/13/2009 | 2 Comments | 3,022 Views
|
In case you have (un?)wittingly been juggling around with multiple EFS certificates like me, you may feel a strong urge to clean up the mess. Which mess? It can happen quite easily that different files are encrypted with different keys. In addition to that, directories that are marked for encryption have EFS certificates associated with them, and there is no UI to manipulate that. In order to straighten this out, once the proper certificate is in place each file and directory needs to be "touched" in order to update their encryption keys.
Command Line to the Rescue
Here are a few simple commands that help with the process of getting back to only one certificate per machine and user. They rely on the command line tool cipher.exe that has been part of the OS since the days of Windows 2000.
Show the fingerprint of the currently used certificate:
cipher /y
Show encryption information for all files and folders in the current directory:
cipher /c /h
Re-key all folders, i.e. replace the certificate to be used for files created in each folder with the current certificate. Log to the file
rekey_log.txt in the current folder.
for /f "usebackq delims=" %i in (`dir /ad /b /s`) do @cipher
/rekey "%i" 1>>rekey_log.txt 2>>&1
Access all encrypted files on all local drives in order to update each file's certificate with the current certificate. Log to the file
cipher_u_log.txt in the current folder.
cipher /u 1>>cipher_u_log.txt 2>>&1
- ‹ previous
- 73 of 156
- next ›
+++ Your opportunity +++ Use Profile Migrator 2, the new sepago product that makes migrating user personalities between different platforms a breeze.! Download your free version now!
2 responses for "Cleaning up the Mess Left Behind by Multiple EFS Certificates" |
Recent Articles
About the author
  |
Helge Klein IT-Architect Blogs about Windows, Terminal Services and other things |
Most viewed
| 155,212 Views |
Where is the Hosts File on Windows x64? |
| 83,076 Views |
Deleting a Local User Profile - Not as easy as one Might Assume |
| 53,092 Views |
Printer Driver Isolation in Windows 7 and Server 2008 R2 |
This is very valuable
This is very valuable information.
It would be even better if
(1) there were a cript that checks not only the current directory but the whole drive (or alternatively subdirectories) and
(2) the information could be printed or logged.
Two other observations
Two other observations questions:
(1) My certificate is listed in three places: Under Personal\Certificates, under Trusted People\Certificates and under Other People\Certificates? Is this normal or does it need to be cleaned up?
(2) Under Trusted People Certificates, there is a second certificate with my name on it that does not have a private key associated with it. Its status is "R". What is this?