Users can share encrypted files without having access to other users' public key certificates, by specifying only the other users' identity information. A client agent interacts with a trusted service account to transparently add user encryption certificates to encrypted files after it was created. A header of each encrypted file includes signed encrypted data blocks, file system metadata, and a digital signature. When a user attempting to open an encrypted file is denied access, the client agent transmits the header data and the encryption certificate of the user to the trusted service account, with a request that the user encryption certificate be added to modify the encrypting file system metadata. After the trusted service account determines tampering has not occurred enroute and the user is authorized to access the file, the modified header data are returned to the client agent to enable the user to open the file.