--
Export / Backup / Generate Key / Update EFS certificate used on previously encrypted files
Run: rekeywiz - this will bring up a GUI - use it to export the key - and THEN re-encrypt all previously encrypted files to use that key (nice GUI). Somehow you can get multiple EFS certificates for your login (maybe when they expire or when the format changes to newer encryption standards, I'm not sure).
Reference: https://superuser.com/questions/957541/when-multiple-encrypting-file-system-certificates-are-installed-which-one-is-us
AVOID: Export EFS key from command line, Windows 10 (probably much earlier too). cipher /x - Then you get prompts. Saves in current folder (there is an option to specify path).
See EFS Certificate in Use
Run: cipher /y - this will show thumbprint of the currently used EFS certificate, this should match the cert selected in rekeywiz.
tags: security, efs, cipher.exe, NTFS
---
Not sure what's going on...
The stupid domain recovery agent (DRA) EFS keys expired on the network I'm on right now (again).
This KB document specifies running "cipher /r", that doesn't seem to exist as a cipher option on the Windows 2000 Server (SBS) that is the domain controller here. Fortunately, it does exist on XP. Go figure.
http://support.microsoft.com/kb/929103
We use encryption for off-site backups... updating the EFS keys is not an annual task that was planned for this backup system. Truecrypt is looking better every time I have to fiddle with this stupid EFS thing.