This guide shows how to back up the EFS file encryption key and certificate to recover encrypted files without access to the user account.
In Windows 10 and 11, you can use the EFS (Encrypted File System) encryption to encrypt files and folders on the NTFS file system. One of the best things about EFS Is that it encrypts the file or folder contents with your user account. Logging into your user account automatically decrypts the file or folder. Other users cannot access encrypted files or folders.
Though EFS encryption and protection are not as strong as BitLocker, it provides an extra layer of security for all the selected files and folders.
If you lose access to your user account or an administrator changes your user account password, you will lose access to the EFS encrypted files. You must back up the EFS recovery key and certificate to avoid that. In fact, any time you encrypt a file or folder, it is important that you back up the recovery key. The recovery key helps you restore the encrypted files.
So, let me show you two ways to back up the EFS recovery key and certificate. Both methods achieve the same thing. Follow the one you like.
The steps below work the same in Windows 10 and 11.
Table of contents:
- Backup EFS key and certificate from notification
- Backup EFS key and certificate from Certificate Manager
Backup EFS key and certificate from notification
You will see the EFS backup notification whenever you encrypt a file or folder with EFS. You can use this notification to back up the EFS recovery key quickly. Here’s how.
- Click the “Back up your file encryption key” notification.
- Press the “Back up now” option.
- Press the “Next” button.
- Select the following options and press “Next.”
- Personal Information Exchange – PKCS #12 (.PFX)
- Include all certificates in the certification path
- Enable certificate privacy
- Select the “Password” checkbox.
- Type a password of your choice twice.
- Click “Next.”
- Press the “Browse” button.
- Select a folder to save the file.
- Name the file and press “Save.”
- Press “Next.”
- Click the “Finish” button.
- Click “Ok” in the success window.
- With that, you are done backing up the file encryption recovery key.
Steps with more details:
After encrypting with EFS, you will see a notification to back up the recovery key. Click on it.
The above opens the “Export Wizard.” Click the “Back up now” button.
After that, click the “Next” button.
Now, select the following options and press the “Next” button.
- Personal Information Exchange – PKCS #12 (.PFX)
- Include all certificates in the certification path
- Enable certificate privacy
You must protect the recovery key with a password. So, select the “Password” checkbox, type the password twice in the available fields and press the “Next” button. Optionally, you can also choose the encryption method.
Now, we must select a place to store the recovery key. Click the “Browse” button.
Choose a place to save the file, name the file whatever you want, and click the “Save” button.
Press “Next.”
Review the details and press the “Finish” button.
The recovery key and certificate are backed up as a .PFX file. Click the “Ok” button to exit the wizard. You can see the EFS recovery key in the destination you chose earlier.
Backup EFS key and certificate from Certificate Manager
The Certificate Manager in Windows 10 and 11 allows you to back up the EFS file encryption certificate and recovery key. This method is helpful if you missed the EFS back notification or wish to create an on-demand backup.
- Click “Start” on the taskbar.
- Search and open “Manage user certificates.”
- Go to the “Current user.”
- Then to the “Personal -> Certificates” folder.
- Right-click on the user.
- Choose the “All tasks -> Export” option.
- Press the “Next” button.
- Choose the “Yes, export the private key” option.
- Press “Next.”
- Select the following options and press “Next.”
- Personal Information Exchange – PKCS #12 (.PFX)
- Include all certificates in the certification path
- Enable certificate privacy
- Select the “Password” checkbox.
- Type a password of your choice twice.
- Click “Next.”
- Press “Browse.”
- Select a folder to save the file.
- Give the file a name and press “Save.”
- Press “Next.”
- Press “Finish.”
- Click “Ok” in the success window.
- With that, you are done backing up the file encryption recovery key.
Steps with more details:
First, open the Certificate Manager. You can search for “Manage user certificates” in the Start menu or use the “certmgr.msc” Run command (Win + R).
After opening it, go to the “Current user -> Personal -> Certificates” folder on the left panel. Find your user account, right-click it, and choose the “All tasks -> Export” option. As the name implies, it allows exporting user account certificates.
The above action opens the “Certificate Export Wizard.” Click the “Next” button.
Choose the “Yes, export the private key” option and Press the “Next” button.
Select the following options and press “Next.”
- Personal Information Exchange – PKCS #12 (.PFX)
- Include all certificates in the certification path
- Enable certificate privacy
Select the “Password” checkbox, type the password, and press “Next.”
Click the “Browse” button, navigate to a folder, name the file, and click the “Save” button. In the main window, click the “Next” button.
After reviewing the settings, click the “Finish” button. You are now finished backing up the EFS recovery key and certificate. The recovery key will be in the folder you specified earlier.
—
That’s all. Backing up the EFS file encryption certificate and the recovery key is as simple as that.
You can now decrypt files and folders encrypted using EFS File Encryption using the backed-up EFS recovery key.
I hope you found this Windows how-to helpful guide.
If you are stuck or need some help, send an email, and I will try to help as much as possible.