To optimize performance, Encrypting File System (EFS) will cache keys used in the encryption or decryption process. You can control when these cached items are removed from memory.

Key caching

Windows optimizes the caching of user keys on a server that is being used for remote server encryption. By default, the server will cache up to 15 user key handles in memory to increase encryption performance on the server. However, the default can be changed by an administrator by editing the following registry value:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\UserCacheSize DWORD

The acceptable values are between 5 and 30 for this registry value.


Private keys are not stored in cached memory; they are only stored as a handle to the CryptoAPI key container.

Changing key caching properties

You can change the performance of key caching by selecting options on the Cache tab of the Encrypting File System Properties page in Group Policy or the local computer policy.

For example, you can configure an automatic timeout value, and specify that the cache should be cleared when the user locks the workstation. The cache is also cleared when the user logs off or the computer is restarted.