How to generate a stronger EFS Certificate for file encryption

Jorg Smash 1 Reputation point
2021-06-05T18:18:04.707+00:00

If I use the built-in certificate creation tool in Windows 10, for EFS certificates, I can generate certificates for my user account, but they are created with a SHA-1 hashing algorithm. I tried searching online but couldn't find anything.

Can I use the built-in windows certificate creation tool to create a self-signed certificate that uses a SHA-256 hashing algorithm? I want to use the certificate to encrypt files on my HDD.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,191 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Daisy Zhou 24,666 Reputation points Microsoft Vendor
    2021-06-17T02:28:51.52+00:00

    Hello @Jorg Smash ,

    Thank you for posting here.

    You can try standalone CA, since Standalone CA do not require Active Directory domain.

    Difference between Microsoft ADCS Standalone CA and Enterprise CA
    https://serverfault.com/questions/826444/difference-between-microsoft-adcs-standalone-ca-and-enterprise-ca/826624

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Hope the information is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Gyula Szegedi 0 Reputation points
    2023-03-13T02:04:04.8266667+00:00

    This article is a bit old but I might have some useful info to this.

    Your issue gave me an idea and I was playing around with certificates. Using openssl I generated much more sophisticated key pairs and I was able to use that key to encrypt folders/files. To make it more secure, I uploaded the private keys and certificates to my Yubikey 5C and whenever I had to get access to the encrypted files, the hardware key must have been inserted (and also touched in my case).

    I can put some details here if anyone is interested in it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.