# Windows – How to use backup EFS certificate to decrypt encrypted files

certificateefsencryptionwindowswindows 8.1

I have some files that were encrypted on a now extinct Windows 7 system. I made sure to backup my keys, this one is called efs.pfx. Double-clicking it launches the Certificate Import Wizard which places it in the Current User > Personal store. But now when I try to select it for decryption using the EFS Rekey Wizard (rekeywiz.exe) I get this error on the final step:

I saw this notification while it was in that store:

So I moved it to the mentioned store, where things looked better:

However I still get the same error in rekeywiz regardless of which certificate store it's in.

I can see the encrypted files in Windows Explorer, but double-clicking them opens them as empty files or throws errors:

I practiced deleting the certificate to make sure I could not read the files' contents, and importing the certificate to make sure my read access was restored. This worked well, and can't imagine that this is the wrong key (the backup is literally named efs.pfx). I don't remember having to use the Reykey Wizard when I practiced this on Windows 7. Also, I never tested this after upgrading to Windows 8 or 8.1. I think this might not be an "upgrade" but a clean install, as I remember a problem trying to transition my 8.1 Preview system (which was probably the last in a series of in-place upgrades dating back to Vista) into the final build. I don't see why this would matter, but I hope it helps cover any questions.

How can I decrypt my files?

## Update

As suggested in the comments, I tried moving files to a different location. At first I was denied access saying I needed permission from the entity in the following picture:

I looked at the Advanced Security Settings Properties tab and saw that the owner was the same entity, so I took ownership of the file and allowed myself full control.

Strangely, I get the same error when now trying to moving the file, only I require permission from myself

## Update #2

When I look at an encrypted file's properties in General > Advanced > Details > User Access, I can see which certificate is allowed to view the contents and its thumbprint:

I've verified that this is the same certificate I backed up and installed into my certificate store: