Backup EFS certificate

How do you backup EFS certificates?

I personally use this method from command line:

cipher.exe /x

Simple a? 🙂

And warning. Store this backup certificate to safe (also physical safe) place!!!

 

Configure 3DES Encryption for EFS

EFS (Encrypted File System) is a built in feature in Windows 2000, XP and 2003 that allows users to securely encrypt files and folders. But you can change encryption algorithm if needed.

By default EFS use the DESX algorithm for encryption in Windows 2000 and Windows XP. In Windows XP SP1 and Windows Server 2003 default encryption algorithm is Advanced Encryption Standard (AES) using 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled in Windows XP and Windows Server 2003. This can be done via GPO or registry.

When enabling 3DES using Group Policy both IPSec and EFS will use the 3DES algorithm. If you change this in registry changes will aplay only to EFS. Find the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFS

Create a new REG_DWORD named AlgorithmID and set the HEX value to 0x6603. After rebooting computer it will use 3DES instead of DESX or AES. Recommended and most secure algorithm is AES in this case. Stay away from 3DES or DESX. [:P]