Share via

How to generate a stronger EFS Certificate for file encryption

Jorg Smash 1 Reputation point
2021-06-05T18:18:04.707+00:00

If I use the built-in certificate creation tool in Windows 10, for EFS certificates, I can generate certificates for my user account, but they are created with a SHA-1 hashing algorithm. I tried searching online but couldn't find anything.

Can I use the built-in windows certificate creation tool to create a self-signed certificate that uses a SHA-256 hashing algorithm? I want to use the certificate to encrypt files on my HDD.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,595 questions

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 21,046 Reputation points Microsoft Vendor
    2021-06-07T02:16:24.687+00:00

    Hello @Jorg Smash ,

    Thank you for posting here.

    Based on the description "If I use the built-in certificate creation tool in Windows 10, for EFS certificates, I can generate certificates for my user account, but they are created with a SHA-1 hashing algorithm.":

    1.how did you use the built-in certificate creation tool to generate EFS certificates?

    2.what is the built-in certificate creation tool in Windows 10 you mentioned?

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Jorg Smash 1 Reputation point
    2021-06-07T15:27:10.257+00:00

    I just type "Encryption" into windows search and it brings up "Manage file encryption certificates" in Control Panel:

    103083-image.png

    0 comments
  3. Daisy Zhou 21,046 Reputation points Microsoft Vendor
    2021-06-08T08:33:02.58+00:00

    Hello @Jorg Smash ,

    Thank you for your update.

    As I understand, your Windows 10 machine is not in the domain.

    You can change the registry below on the Windows 10 machine, then re-generate one self-signed certificate to see if the certificate is with SHA256.

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes

    103353-en1.png

    For more information, please refer to link below.
    Enable the SHA512 Hash
    https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::HASH_Enable_SHA_512

    Hope the information is helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note:

    1. Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    2. Please backup the registry first before you modify it.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Jorg Smash 1 Reputation point
    2021-06-11T15:45:33.733+00:00

    I tried this. It doesn't appear to have worked unless I did something wrong:

    104863-image.png

    0 comments
  5. Daisy Zhou 21,046 Reputation points Microsoft Vendor
    2021-06-15T08:10:57.14+00:00

    Hello @Jorg Smash ,

    After my test, it does not work, either.

    And I can not find how to generate a stronger EFS Certificate for file encryption on one Windows 10.

    I suggest you can set up a AD domain environment and set up AD CS on one domain member server if possible.

    At last, issue EFS Certificate using the CA server (we can set CA root certificate SHA256), then all the certificates issued by the CA will be SHA256.

    Hope the information is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.