Most Windows 2000 and XP Professional users are aware of the ability to encrypt data at the file level, using the Encrypting File System (EFS). It’s easy to do through the graphical interface—as easy as checking a checkbox on the Advanced File Attributes property sheet. However, many IT pros aren’t aware that encryption can also be performed at the command line.
The cipher.exe utility is included with Microsoft’s most recent NT-based operating systems. It allows you to do the same tasks—encrypt and decrypt—that you can do through the GUI, but also allows you to do much more—all through the command line. Administrators and power users can take advantage of the cipher tool’s power to gather encryption information and more quickly perform encryption tasks.
This Daily Drill Down will introduce you to the cipher tool and walk you through the steps of using its various switches.
Why a command line encryption tool?
What’s the need for a command line encryption tool if it’s so easy to encrypt and decrypt files using the GUI (other than the fact that some of us just like the character-based interface)? While encryption and decryption are easy attributes to set through a file or folder’s property sheet, there are other encryption-related tasks that are difficult (or impossible) to accomplish through the GUI.
For example, what if a user wants to create a new file encryption key? You might think you could generate a new key pair by requesting a new EFS certificate. You would do this by invoking the Certificate Request Wizard via the Certificates MMC (if you’re in an Active Directory domain) or via the certification authority’s Web page. But the problem with this method is that the file encryption key that is generated by EFS is wrapped with the user’s public key during the encryption process. As a workaround, the cipher tool allows you to create a new encryption key by typing cipher /k.
What if you want to encrypt files that are already encrypted? There’s no way to do that through the graphical interface; you must first decrypt the file before you’re allowed to change its attribute back to encrypted. With the cipher tool, you can force encryption on all files and folders, including those that are already encrypted.
The original version of cipher.exe that was released with Windows 2000 does not include the data overwrite function. This was added in a version of the cipher tool that Microsoft released in June 2001 (and included in Windows 2000 SP3). The drive-wiping function is included in the cipher tool that comes with Windows XP.
Limitations of the cipher tool
Although the Cipher tool can do some things that the GUI can’t, you are still working with the same component (EFS) and must operate under some of the same limitations as when you encrypt and decrypt files the graphical way. The Cipher command doesn’t provide any way around the rule that a file or folder can’t be simultaneously encrypted and compressed, and Cipher can’t encrypt files or folders with the Read Only attribute or those with the System attribute. If you try to do so, you’ll get a message that access is denied. Click here to learn more about a potential EFS security concern.
One thing that you can’t do with the Cipher tool that you can do through the GUI is give other users cryptographic access to encrypted files or folders. Windows XP and 2003 Server (unlike Windows 2000) allow the person who encrypts a file to add other user accounts that enable others to view his/her encrypted data. This is done through the Encryption Details dialog box (accessed via the Details button on the Advanced Attributes property sheet). There is no mechanism for doing this with the cipher tool.
Developers can give other users cryptographic access to encrypted files or folders by using the AddUsersToEncryptedFile function.
Having cryptographic access to a file or folder doesn’t necessarily mean you’ll be able to read it; you must also have the appropriate NTFS permissions.
Using cipher to gather encryption information
The cipher command can be used without any switches to quickly ascertain which files and folders in a given directory are encrypted. All you have to do is switch to the desired drive or directory and type cipher. The output of the command is shown in Figure A.
|The cipher command, without switches, shows the encryption status of files and folders.|
Note that in Figure A, each file or folder in the root of the logical drive labeled E (where I was when I typed the command) is listed with either a U or E in front of the file or folder name. U indicates the file is unencrypted and E indicates that it is encrypted. None of the file’s other attributes (Hidden, Read Only, System, Compressed) are indicated.
You can also see which files are encrypted at a glance in Windows Explorer, if the Option to show encrypted or compressed NTFS files in color is enabled (this is done by going to Tools | Folder Options | View and then by checking the appropriate checkbox). As you can see in Figure B, the GUI method uses green text to mark encrypted files and blue text to mark compressed ones.
|In contrast to the cipher command, the GUI shows encrypted files in a different color.|
After you encrypt a directory, you are no longer able to switch to the directory and use the cipher command to view the encryption status of files within the directory. Instead, when you type cipher, you will see a message as shown in Figure C below, indicating that new files added to the directory will be encrypted.
|After you encrypt a folder, you can’t use the cipher command to view the status of files inside it.|
Instead, to see which files within a specified folder are encrypted, use the syntax cipher <folder name or path>\*. For example, to see the encryption status of the files in the directory named encrypted, type the following command:
This returns the list of files in the directory with the U or E status attribute for each.
Encrypting and decrypting from the command line
You can use the cipher command to encrypt and decrypt data at the command line, in individual directories or in batches.
Using the /e and /d switches
The /e and /d switches are used with the cipher command to encrypt or decrypt a directory, respectively. The syntax to encrypt a directory is cipher /e <directory name>. It is important to note that these switches only work on directories—not on individual files. This is one of the most common mistakes made in using the tool, leading to complaints that “cipher doesn’t work.” No matter how many times you type cipher /e <filename>, your file won’t be encrypted. There is a clue in the message you get when you do this, shown below:
0 directorie(s) within 2 directorie(s) were encrypted.
As you might guess from this message, you need to be using the command with folder names, not file names.
Likewise, you can decrypt an encrypted directory using the command cipher /d <directory name>. Once again, it works only with directories.
Note that when you encrypt a directory, if unencrypted files already exist within the directory, they will remain unencrypted. However, all new files added to the directory will be automatically encrypted.
Using the /s switch
The /s switch is used in conjunction with the /e or /d switch, and makes it possible for you to perform the specified operation (encryption or decryption) on the subfolders within the folder you are encrypting or decrypting. So if you have several layers of folders and want to quickly encrypt the entire tree, use the syntax cipher /e /s: <directory name>. You can decrypt the subdirectories within the directory in the same way, substituting /d for /e.
Note that you need to put a colon after the /s switch. The results of the command will name the subdirectories that have been encrypted or decrypted, as shown in Figure D.
|The /s switch in conjunction with /e or /d is used to encrypt or decrypt subdirectories within a directory.|
Using the /a switch
At this point, you may be wondering how to encrypt individual files. That’s the function of the /a switch. Using the syntax cipher /e /a <directory path\filename>, you can encrypt a single file. For example, the following command will encrypt a file named testdoc1.txt in a subdirectory named subsub within a subdirectory named subencrypted that resides in a directory named encrypted:
Cipher /e /a encrypted\subencrypted\subsub\testdoc1.txt
You can encrypt all the files in a directory by switching to that directory and typing cipher /e /a. As shown in Figure E, the command will output the results, showing you the names of the files that were encrypted. You’ll also see the warning reminder that encrypting individual files (rather than creating the files in encrypted folders) can leave remnants in plain text on the disk.
|Use the /a switch for encrypting individual files rather than directories.|
You can also use wildcards to encrypt (or decrypt) groups of files. For example, to decrypt all files in the working directory with names that begin with the letters “test,” use the following command:
cipher /d /a test*
Using the /i switch
By default, if an error occurs while cipher is performing an encryption or decryption operation, it will stop. However, you can force the operation to continue even if errors occur, by using the /i switch. The syntax for this is cipher /e [or /d] /i.
Using the /f switch
Normally, if there are files or folders within the path being encrypted that are already encrypted, the cipher tool will skip the operation on those objects. However, if you want to force encryption (or decryption) of all the folders or files specified, even those that have already been encrypted, you can use the /f switch (cipher /e [or /d] /f <directory or path>).
Managing encryption keys and recovery certificates
The cipher utility allows you to do much more than encrypt and decrypt files. It also includes a number of switches that you can use to manage encryption keys and recovery certificates. Let’s look at those now.
Using the /k switch to create a new encryption key
You can use cipher to cause a new encryption key to be generated for the user who is running the cipher utility. The syntax is cipher /k. Using this switch causes the cipher tool to ignore any other switches.
When the new key has been generated, you’ll be shown the “thumbprint information” for the encryption certificate, as shown in Figure F.
|Use the /k switch to generate a new encryption certificate and key.|
If you’re not currently logged on with the account for which you want to create the key, you can open the command prompt using the Run As option in Windows XP.
To use the Run as option, navigate to cmd.exe, usually in the System32 folder, and right-click its icon (or, if you use the command prompt often, as I do, create a shortcut to the program on your desktop or in your Quick Launch toolbar). Either way, right-click the icon used to open the program, and select Run As… from the context menu. Select The Following User and enter the user credentials for the account you want to use.
Using the /u switch to update keys
What if you change your encryption key? Will you still be able to access data that was encrypted with the old key? Some sources recommend that you keep the old keys until all files and folders that have been encrypted with them are decrypted, but there is a way to update the user’s file encryption key or the recovery agent key to their current ones. To do this, use the /u switch with the cipher command (cipher /u). This will update the keys for all encrypted files on local drives.
When you use this command, the tool will list the names of the files for which the keys were updated, as shown in Figure G.
|Use the /u switch to update encryption keys for existing encrypted files.|
Using the /n switch to prevent keys from being updated
To get a list of just the encrypted files on your system, while preventing keys from being updated, you need to use the /n switch in conjunction with the /u switch (cipher /u /n). You’ll see a list of just those files that are encrypted (including the path for those that are not in the working directory), as shown in Figure H.
|Use the /n switch with the /u switch to get a list of all encrypted files on the system.|
Using the /r switch to generate a new recovery agent certificate
If the recovery agent keys are compromised, you may need to generate a new recovery certificate. You can use the /r switch to create a new recovery agent certificate and private key. You’ll need to specify files to which the new certificate and key should be written, using the pathname without extension. The syntax is cipher /r:<pathname without extension>.
In Windows 2000, EFS will not work for computers that belong to an Active Directory domain if the recovery policy does not contain a recovery agent with a valid certificate. There is no recovery policy required on a standalone machine, but the local administrator can define a policy and add a recovery agent if desired. This is done by accessing the Local Security Policy and expanding the Public Key Policies node, then right clicking the Encrypting File System node and selecting Add Data Recovery Agent.
One of the changes to EFS in Windows XP Professional and Windows Server 2003 is that a recovery agent is no longer required in the domain environment. Consequently, configuring an empty recovery policy for the domain will cause EFS to be disabled for Windows 2000 clients, but not for XP and Windows 2003 Server clients. An empty policy is one that does not have any recovery agents added to it.
Overwriting unallocated space with the /w switch
The /w switch is a new addition to the cipher tool, not included in the original version released with Windows 2000. It is used to overwrite the unallocated space on the disk in order to remove lingering trace data that may be left there from deleted files. It is especially important to do this after encrypting existing files, because of the temporary plain text files created during the process.
The syntax is cipher /w:<pathname>. When you run this command, you’ll be advised to close all other applications. This is because the cipher tool doesn’t lock the drive, so other programs can still write to the drive. Closing as many applications as possible will maximize the amount of trace data that will be overwritten by the cipher tool.
If the disk is large, you may find that it takes quite some time to do the overwrite operation. The utility will show you the progress of the overwriting as it takes place, as shown in Figure I.
|The /w switch is used to overwrite data in unallocated space on the disk.|
A final note
There are a few other tasks that can be performed with the cipher tool. Some of these are standard command line switches, such as the /? switch, used to display helpful information about using the tool, and the /h switch, which can be used to display files with hidden or system attributes (although system files cannot be encrypted, you can encrypt hidden files).