When multiple Encrypting File System certificates are installed, which one is used for encryption?

Answering to myself:

Use this command to list all encrypted files on the system:

cipher /u /n

Use this command to display certificate info for the specified file.

cipher /c <file>

By default Windows uses the EFS certificate that expires latest for encrypting files and folders. The easiest way to manage EFS certificates in Windows is to use the Manage File Encryption Certificates wizard (rekeywiz) to renew and backup certificates.


To find:

  1. which certificate was actually used on a particular file: you right click on the file to see the properties Select Advanced Select Details next to the Encrypt check box

A popup appears which tell you which certificate and thumbprint was used to encrypt that particular file The thumbprint match the certificate thumbprint inside the certificate manager.

  1. which Certificate is going to be used (the default encryption certificate)

Answer: There is a wizard under user account Windows7 Control Panel\All Control Panel Items\User Accounts Left:Manage your files encryption

The wizard will let you: Select which certificate to use for ALL new encryption Export It REencrypt all/select disk/folders with the new certificate

Command Line for wizard (rekeywiz) thanks to http://pcsupport.about.com/od/commandlinereference/a/run-commands-windows-7.htm

cf:http://www.windows7teacher.com/user-accounts-tutorials/63/how-to-manage-your-file-encryption-certificates-in-windows-7.html

If there is more than one EFS certificate, you should back up all of them.

a) Only the current one is used for future encryption

b) But, When multiple certificate are present, you dont know which one were used in the past. So you potentially need all of them to decrypt any file. Thats why microsoft recommends to save all of them. Otherwise you can re-encypt all your files using the wizard mentionned above (which basically replace the old certificate by the current one)


Only one certificate is used by default, the one with the public key registered to that user. (Verified experimentally.)

If you don't want to use a command-line utility to figure out which certificate will be used, you can use the Certificates Manager snap-in for MMC. Open the Local Machine scope (or run certlm.msc) - no administrator privileges necessary, but you will be asked to elevate if you are an admin. Navigate with the left pane to Trusted PeopleCertificates. You'll see a list of users on the machine who have EFS certificates. Double-clicking an entry produces the properties dialog of the user's EFS certificate.

If you had instead opened the Current User scope (certmgr.msc) and navigated to the same folder, the one used for your EFS files would be the only one with your name that does not have a key on the icon.