To encrypt a file or folder in Windows, you basically go to its Properties and check Encrypt contents to secure data. Windows will use the certificate for Encrypting File System (EFS) that is installed in the Certificates Manager (certmgr.msc
) that usually goes under Personal → Certificates. So when there is only one EFS certificate available, you know which one is used to encrypt files.
In my case, I have several EFS certificates installed. I don't know which one is the original one and which ones were installed later, and more importantly, I don't know which one is actually used to encrypt a file when I check that box.
Is there any way to know exactly which certificate is used for encryption?
In Microsoft's instructions for Backing up Encrypting File System (EFS) certificate it says "If there is more than one EFS certificate, you should back up all of them." Does that mean all installed certificates will be used for encrypting files and therefore all of them will be needed for decrypting?