Pin Me

Backup your Vista File Encryption Key before it’s too late

written by: Mark Muller•edited by: Bill Bunter•updated: 8/8/2011

You need to backup or export your EFS file encryption key in Windows Vista in order to recover your encrypted data should the original encryption key get lost or corrupted, or if you intend to move your encrypted data from one Vista computer to another. This article explains how.

  • slide 1 of 7

    What is a backup of your file encryption key in Windows Vista?

    In this article I will show you how to backup your file encryption key in Windows Vista. Instead of jumping directly to the ‘how’ in the next section, unless you are very comfortable with terms in relation to Public Key Infrastructure (PKI), you may want to read this introduction as it will lay the foundation for successfully backing up your file encryption key.

    Encrypting File System (EFS) in Windows Vista and previous versions of Microsoft Windows operating systems handles your encrypted files by a digital certificate and a private key.

    The EFS digital certificate is an object which binds together your identity and your public key of the private/public keypair. Such a certificate, which could also validate a service or device, is signed by Windows acting as the issuing authority, and valid till a predefined point in time; in Vista, by default, your EFS certificate is valid long enough to outlive you.

    The EFS private key is used for decryption purposes, and protected by a password. If for one reason or another the private key of your Windows Vista gets lost or corrupted there is NO WAY of recovering your encrypted data should you not have a backup of your private key. Along the same lines is it crucial that you remember its password.

    Although less optimal, it is possible to have more than one certificate and thus, private keys with identical or different passwords. Therefore, when you backup your file encryption key in Windows Vista you save a file containing at least one certificate, and, with method 1 shown below, automatically your associated password-protected private key(s).

  • slide 2 of 7


    Some organizations have deviating or advanced security and PKI strategies for file encryption key backup in place. Yet, unless told otherwise by your computer support personnel, or if you have other good reasons of your own, it is safe to follow the instructions here.

    If you find Windows Vista encrpytion difficult you may better off considering password protection by means of easier-to-use Folder Lock Password Protection & File Encryption.

    Please find how to backup your file encryption Key in Windows Vista using our depicted method 1 and method 2 on the next page along with Bright Hub's concluding remarks.

  • slide 3 of 7

    Method 1

    Upon first creation of an encrypted folder Windows Vista reminds you by a popup-balloon [1] which becomes a taskbar notification item [2] that you should back up your file encryption key. By clicking the taskbar notification item you will be given the opportunity to ‘Backup now’ [3] which starts the Certificate Export Wizard [4] - Always click ‘Next’ unless mentioned otherwise.

    In the next window [5] you should activate the checkboxes “Include all certificates in the certification path if possible” and “Export all extended properties”. Do not activate “Delete the private key if the export if successful”.

    Then type and confirm a strong password associated with your private key [6], and continue to the next screen to choose a file name [7] and the path to the location where you want to save your backup. It is best to back up your file encryption key somewhere else than on your Vista computer’s local hard disk such as on an USB stick or other removable media including CD ROM, for example.

    The next screen you see is a summary window before the export [8] which, after clicking ‘Finish’, is followed by a message confirming the successful backup of your file encryption key [9].

    This method automatically included a backup of your private key.

  • slide 4 of 7

    Depiction of Method 1 – Click to Enlarge

  • slide 5 of 7

    Method 2

    Windows Vista, for security reasons, does not automatically include a backup of your private key with this method!

    Go to Vista ‘Start Search’, type certmgr.msc and hit enter [i]. In the Microsoft Management Console navigate to Certificates – Current User -> Personal -> Certificates. In the right pane select your certificate and right-click it. Choose All Tasks -> Export [ii]. The next window already is the Certificate Export Wizard [iii] which leads over to the Export Private Key-dialog where you should change the radio button to ‘Yes, export the private key’ [iv] as your private key is a prerequisite for recovering your encrypted data should it become necessary. The remaining steps are identical with those of [5] to [9] in method 1.

  • slide 6 of 7

    Depiction of Method 2 – Click to Enlarge

  • slide 7 of 7


    It is important that you backup your file encryption key in Windows Vista. Besides, you will have to stick to the same process when transferring your encrypted data from one Vista computer to another. If you are following method 2 make sure you backup your private key, too. Last but not least: use a strong password you can always remember to protect your private key(s).


  • Author's own experience

    Screenshots by the writer