If you feel the standard EFS Certificate is not good enough you can change the type and public key size…
2048Bit SHA1 (Default)
To do this go to…
Control Panel -> Administrative Tools -> Local Security Policy
And browse to
Public Key Policies -> Encrypting File System
Right click on the folder “Encrypting File System” and click Properties, which opens this windows…
Change “File Encryption using Encrypting File System (EFS)” from “Not Defined” to “Allow” and change “Elliptic Curve Cryptography” to “Allow”. If you want to create a ECC certificate this must be set to “Require”.
Now click on the Certificates tab…
You should see the above window, here you can select the public key size of both RSA and ECC certificates.
Once you have selected what you want click Apply and Ok to close the window.
To create your new certificate follow this guide making sure you update your previously encrypted files so they are encrypted with your new certificate.
Here’s how you add Encrypt and Decrypt to right-click context menus to make using EFS easier.
1. Open the Start Menu and search for regedit or
Open Start Menu -> Run -> regedit
If prompted by UAC then click yes
2. In regedit go to
i) In the right pane of Advanced right click on an empty space and click New DWORD (32Bit) and name EncryptionContextMenu and press Enter.
ii) Now in the right pane right click on EncryptionContextMenu and click Modify and enter 1 in Value Data
And close regedit.
To remove, just delete the EncryptionContextMenu DWORD (32bit) entry in the right pane.
Here’s how you set up EFS (Encrypting File System) on Windows 7 through to 10, so you can encrypt files and folders.
Control Panel -> User Accounts
In the left hand pane you will see “Manage your file encryption certificates” and click.
In the new window click next, here you can select and create EFS certificates.
Select create new, then the first option A self-signed certificate stored on my computer and next.
You will now see your certificate has been created
Current Certificate: Issued to: Your_Username
Now select a backup location, I suggest you store it on a different partition to Windows. And add a password, you will be asked for this password when you install it on a different PC or new windows install.
Click next and you will have the option to update previously encrypted files, since none are encrypted you can select “I’ll update my files later”, and you are done.
Backing up your EFS certificate later
You can always backup/export your certificate at a later date by going to
Control Panel -> Internet Options -> Content -> Certificates -> Personal
Select your EFS certificate and export, with password and private key.
To encrypt a file or folder, right click on the folder or file you want to encrypt and select properties. and advanced select encrypt contents to secure data click ok and then apply. Your folder is now encrypted, and will have a green font.
We will show you how to add Encrypt and Decrypt to File Explorer Right-Click context menu in an up-coming post.