Change EFS Public Key Policy

If you feel the standard EFS Certificate is not good enough you can change the type and public key size…

RSA Options
2048Bit SHA1 (Default)
4096Bit SHA1
8192Bit SHA1
16384Bit SHA1

ECC Options
256Bit SHA256
384Bit SHA384
521Bit SHA512

To do this go to…

Control Panel -> Administrative Tools -> Local Security Policy

And browse to

Public Key Policies -> Encrypting File System

Local Security Policy

Right click on the folder “Encrypting File System” and click Properties, which opens this windows…


Change “File Encryption using Encrypting File System (EFS)” from “Not Defined” to “Allow” and change “Elliptic Curve Cryptography” to “Allow”. If you want to create a ECC certificate this must be set to “Require”.

Now click on the Certificates tab…


You should see the above window, here you can select the public key size of both RSA and ECC certificates.
Once you have selected what you want click Apply and Ok to close the window.

To create your new certificate follow this guide making sure you update your previously encrypted files so they are encrypted with your new certificate.