Efs protection utility, Using the efs command line utility – Lenovo ThinkVantage (Client Security Solution 8.21) User Manual

EFS protection utility

Client Security Solution provides a command line utility that enables TPM-based protection of encryption
certificates used by the Encrypting File System (EFS) to encrypt files and folders. This utility supports
transfer of third party certificates (certificates generated by a Certificate Authority) and also supports
generation of self-signed certificates.

Protection of the EFS certificate by Client Security Solution means that the private key associated with the
EFS certificate is protected by the TPM. Access to the certificate is granted after the user has authenticated
to Client Security Solution.

If no TPM is available, the EFS certificate is protected using the TPM emulator provided by Client Security
Solution. You must be enrolled with Client Security Solution to be able to have the EFS certificates protected
by Client Security Solution.

CAUTION:
If you use Client Security Solution and the Encrypting File System (EFS) to encrypt files and folders,
then anytime Client Security Solution or the Trusted Platform Module is not available, you cannot
access the encrypted files.

If the Trusted Platform Module becomes non-responsive, Client Security Solution will restore access to
encrypted data after the motherboard is replaced.

Using the EFS command line utility

The following table provides the command line parameters that are supported for EFS:

Table 9. Command line parameters supported for EFS

Parameter

Description

/generate:

Generates a self-signed cert and associates the certificate
with EFS. If is specified, the key generated will be
of the specified bit size. Valid values include 512, 1024
and 2048. If no value, or an invalid value, is specified, the
default will be the generation of 1024-bit keys.

/sn:xxxxxx

Specifies the serial number of an existing certificate to
transfer and associate with EFS.

/cn:yyyyyy

Specifies the name ("issued to") of an existing certificate
to transfer and associate with EFS.

/firstavail

Transfers the first available existing EFS certificate and
associate with EFS.

/silent

Does not display any output. Return codes provided by
the value when the program exits.

/? or /h or /help

Displays the help information.

When not run in silent mode, the utility will return one of the following errors:

0 - "Command completed successfully"
1 - "This utility requires Windows XP"
2 - "This utility requires Client Security Solution version 8.0"
3 - "The current user is not enrolled with Client Security Solution"
4 - "The specified certificate could not be found"
5 - "Unable to generate a self-signed certificate”
6 - "No EFS certificates were found"
7 - "Unable to associate the certificate with EFS”

When run in silent mode, the output of the program will be an error level corresponding to the errors
numbers shown above.

Chapter 3

.

Working with Client Security Solution

23