2.2.6 EFS RSA Self-Signed Certificate Key Length

Key:Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS

Value: "RSAKeyLength" or one of the special values in [MS-GPREG] section 3.2.5.1.

Type: REG_DWORD.

Size: Equal to size of the Data field.

Data: A 32-bit multiple of 8, representing the key length, in bits. This value SHOULD be no less than 1024 and no greater than 16384.<7>

This setting specifies the key length, in bits, that EFS uses when generating an RSA self-signed certificate. Such a certificate is generated when a user with no existing EFS keys attempts to create a new encrypted file or to convert an existing plain text file to encrypted form, and EFS fails to enroll the user for a suitable certificate from a certificate authority (CA).

Implementations SHOULD<8> support this option. If this option is supported, the flag to disable self-signed certificates (defined as 0x00000004 in section 2.2.3) MUST be supported.

If the client supports this option but the option is not present, the client SHOULD use a default value of 2048.