How to backup and restore an Encrypting File System (EFS) certificate on Windows

In this How-To guide you’ll learn step-by-step how to backup and restore an Encrypting File System (EFS) certificate on Windows.

This is the situation, instead of using encryption with BitLocker, you opted to use the encryption attribute feature within Windows. For a while you were able to access and modify encrypted data with no problem. One day you decided to reinstall Windows, then you tried to open a document that you have encrypted before, but now you discover that you get the Access denied dialog box — Now what, right? There is nothing you can do here, other than just delete the documents, because without the decryption key there is no way to access that encrypted data.

As you can see, if you encrypt data in your Windows’ computer, you’ll need a way to recover in case something goes wrong. To make sure that you don’t lose access to your encrypted data, you must backup the encryption certificate and key, and of course you also will need to know how to restore the certificate and key as well. This is what you are going to learn today.

Instructions

1. Use the shortcut Ctrl+R to bring the Run command, type mmc and click OK, then the Microsoft Management console will open.

2. Go to the File menu and select Add/Remove Snap-in. From the available snap-ins, select Certificates, click the Add and Finish, then OK.

3. Now, from the left pane navigate through: Certificates – Current User > Personal and select Certificates, there you’ll find the certificate that contains the information necessary for the decryption of any file or folder that you have applied encryption on.

4. Right-click the certificate, navigate through All Tasks and select Export. 

5. Once the Welcome to the Certificate Export Wizard opens, click Next.

6. In the next page: “Do you want to export the private key with the certificate?”, choose “Yes, export the private key” and click Next.

7. In the Export File Format, select “Personal Information Exchange – PKCS #12 (.PFX)” and also include the options: “Include all certificates in the certification path if possible” and “Export all extended properties” and click Next.

8. Type your current Windows user password twice and click Next.

9. Next, select the path to store and name for the certificate  — It is important that you store the certificate on a network location or some other type of external storage media –, then click Next.

10. Click Finish to complete and now you are all done! Your personal certificate and key has been backed up. Now in the case that you accidentally delete or reinstall Windows and you lose the certificate, you will be able to import/restore the certificate back to gain access once again to your encrypted data.

To restore a certificate and key, do the following:

1. Repeat steps 1 and 2 from the previous set of steps.

2. Now, from the left pane navigate through: Certificates – Current User select Personal and from the Action menu, select All Tasks and click on Import.

3. From the certificate import wizard and click Next. Browse for the certificate — if you don’t see the certificate file, select to view All Files from the Open box –, then click Next again.

4. In the Certificate Store page, select “Automatically select the certificate store based on the type of certificate”, click Next and then Finish to complete the restore.

Using the backup/restore procedures will also help you in the case you need to access the encrypted data from another computer.