Cleaning up the Mess Left Behind by Multiple EFS Certificates

In case you have (un?)wittingly been juggling around with multiple EFS certificates like me, you may feel a strong urge to clean up the mess. Which mess? It can happen quite easily that different files are encrypted with different keys. In addition to that, directories that are marked for encryption have EFS certificates associated with them, and there is no UI to manipulate that. In order to straighten this out, once the proper certificate is in place each file and directory needs to be "touched" in order to update their encryption keys.

Command Line to the Rescue

Here are a few simple commands that help with the process of getting back to only one certificate per machine and user. They rely on the command line tool cipher.exe that has been part of the OS since the days of Windows 2000.

Show the fingerprint of the currently used certificate:

cipher /y

Show encryption information for all files and folders in the current directory:

cipher /c /h

Re-key all folders, i.e. replace the certificate to be used for files created in each folder with the current certificate. Log to the file
rekey_log.txt in the current folder.

for /f "usebackq delims=" %i in (`dir /ad /b /s`) do @cipher
/rekey "%i" 1>>rekey_log.txt 2>>&1

Access all encrypted files on all local drives in order to update each file's certificate with the current certificate. Log to the file
cipher_u_log.txt in the current folder.

cipher /u 1>>cipher_u_log.txt 2>>&1