question

JorgSmash-8604 avatar image
0 Votes"
JorgSmash-8604 asked DaisyZhou-MSFT commented

How to generate a stronger EFS Certificate for file encryption

If I use the built-in certificate creation tool in Windows 10, for EFS certificates, I can generate certificates for my user account, but they are created with a SHA-1 hashing algorithm. I tried searching online but couldn't find anything.

Can I use the built-in windows certificate creation tool to create a self-signed certificate that uses a SHA-256 hashing algorithm? I want to use the certificate to encrypt files on my HDD.

windows-server
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JorgSmash-8604,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @JorgSmash-8604,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @JorgSmash-8604,

Thank you for posting here.

Based on the description "If I use the built-in certificate creation tool in Windows 10, for EFS certificates, I can generate certificates for my user account, but they are created with a SHA-1 hashing algorithm.":

1.how did you use the built-in certificate creation tool to generate EFS certificates?

2.what is the built-in certificate creation tool in Windows 10 you mentioned?


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JorgSmash-8604 avatar image
0 Votes"
JorgSmash-8604 answered

I just type "Encryption" into windows search and it brings up "Manage file encryption certificates" in Control Panel:

103083-image.png



image.png (28.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @JorgSmash-8604,

Thank you for your update.

As I understand, your Windows 10 machine is not in the domain.

You can change the registry below on the Windows 10 machine, then re-generate one self-signed certificate to see if the certificate is with SHA256.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes

103353-en1.png


For more information, please refer to link below.
Enable the SHA512 Hash
https://admx.help/?Category=Schannel&Policy=Microsoft.Policies.SSLControl::HASH_Enable_SHA_512


Hope the information is helpful.

Should you have any question or concern, please feel free to let us know.


Please note:
1.Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
2.Please backup the registry first before you modify it.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




en1.png (21.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JorgSmash-8604 avatar image
0 Votes"
JorgSmash-8604 answered

I tried this. It doesn't appear to have worked unless I did something wrong:

104863-image.png



image.png (127.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered JorgSmash-8604 commented

Hello @JorgSmash-8604,

After my test, it does not work, either.

And I can not find how to generate a stronger EFS Certificate for file encryption on one Windows 10.

I suggest you can set up a AD domain environment and set up AD CS on one domain member server if possible.

At last, issue EFS Certificate using the CA server (we can set CA root certificate SHA256), then all the certificates issued by the CA will be SHA256.


Hope the information is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can I set up an AD CA server without owning a domain? Would I just use .local?

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @JorgSmash-8604,

Thank you for posting here.

You can try standalone CA, since Standalone CA do not require Active Directory domain.

Difference between Microsoft ADCS Standalone CA and Enterprise CA
https://serverfault.com/questions/826444/difference-between-microsoft-adcs-standalone-ca-and-enterprise-ca/826624


Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Hope the information is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.