Hi Each time you encrypt a file on a system for the first time, an EFS certificate with a public key and associated private key is issued to you. You end up with one set of EFS key (private and public) for each system you login to perform encryption... How to ensure I have only the same set of EFS keys used for encryption and decryption for any systems I login within a domain? Is CA the solution, if yes, how? Thanks

There are 2 options: 1) implement smart cards for EFS if your systems are Windows Vista and newer. 2) implement Credential Roaming service if your systems are lower than Vista and/or you don't have smart cards.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Thanks for your quick response. If I have a CA in the domain to issue the certificates, does it help? I mean, each time when user login a system and perform encryption, does it request from the CA for the same public key and private key when decrypt? For option 1 - how does the system knows to pick up the public/private keys from the smart card to encrypt/decrypt? For option 2 - Roaming profile, i guess. This would be that the public and private keys are stored in the AD domain controller, right? Thanks Anthony

1) For Windows Vista and Windows 7, you can choose which key to use which allows you to designate the certs on the smart card 2) This is not Roaming Profiles, but Credential Roaming SErvices (huge difference). You are only roaming credential information, not the entire user profile. See this link http://technet.microsoft.com/en-us/library/cc700815.aspx Brian

Thanks But I have one question - If I have a CA in the domain to issue the certificates, when user login first time to a desktopA and perform encryption, ideally, the efs mechanism will check if user has efs certificate or not. there will be two outcome, either generate a self-signed efs certificate (if no CA presents) or connect to CA and get a efs certifcate for the user. In this scenario where there is a CA in the domain, I supposed a CA-signed efs certifcate will be issued to the user. Now, the same user logins to another desktopB, this is also the first time this user is loging in, and user performs encryption...here is my question - does the user get a "new efs certficate" from the CA or it will be issued the "same efs certifcate" issued to the same user earlier on when the user login to desktopA? Thanks

Please read the referenced article (it is obvious that you did not based on your questions) Brian