Encrypting File System (EFS) encryption is based on the key pairs associated with certificates. In most managed environments, certificates are issued by a certification authority (CA) running in the domain. Users can automatically be issued a certificate by the CA without manual intervention. The EFS certificates settings include a list of certificate templates available in the domain so that you can specify which certificate template to use for autoenrollment.


The list includes all certificate templates present in the domain. An administrator must correctly configure the CA so that the certificates can be issued. Some displayed certificates might not be accessible.

In cases where a certificate cannot be issued by a CA, EFS can use a self-signed certificate created on the local computer. You can choose to disable this functionality or specify a default key length.

EFS templates

This identifies the name of the certificate template used to request an EFS certificate from a CA. The Basic EFS template is used by default. If you have created custom EFS templates for use in your organization, click Browse to locate and assign the template for use.

Self-signed certificates

The default setting allows EFS to generate self-signed certificates when a CA is not available. Some organizations do not allow self-signed certificates to be used because of concerns about information security risks. Disabling this setting will require that a user have been granted a certificate from a trusted CA before being able to use EFS.

If you allow the use of self-signed certificates, you can specify the encryption key length used when encrypting files and folders. By default, EFS uses the 2,048-bit key size for self-signed RSA certificates and the 256-bit key for elliptical curve cryptography (ECC) certificates (such as those required for Suite B compliance). The following RSA and ECC keys are available:

  • 1,024-bit RSA

  • 2,048-bit RSA

  • 4,096-bit RSA

  • 8,192-bit RSA

  • 16,384-bit RSA

  • 256-bit ECC

  • 384-bit ECC

  • 521-bit ECC

Long key sizes increase security but might cause encryption to be slower.