CIPHER - CMD

Overview

The CIPHER command in Windows CMD is used to manage encryption for directories and files on NTFS volumes. It can display or alter the encryption of directories and files on a file system and is capable of clearing cached encryption keys from memory. Its primary purpose is to enhance data security in Windows environments, making it especially useful in sensitive or regulated industries.

Syntax

The basic syntax for the CIPHER command is:

CIPHER [/E | /D | /C | /S:directory] [/A] [/I] [/F] [/Q] [/H] [/K] [/N] [/U [/N]] [/W:directory] [/X[:efsfile] [/Y]] [drive:][path][filename]
  • /E: Encrypts the specified directories. Directories will be marked so that files added afterward will be encrypted.
  • /D: Decrypts the specified directories.
  • /C: Displays encryption or decryption status of directories and files.
  • /S: Performs the specified operation on directories in the given directory and all subdirectories.
  • /A: Applies to files as well as directories. The operation is performed on files and directories together if /E or /D is specified.
  • /I: Continues performing the specified operation even after errors occur.
  • /F: Forces the encryption operation on all specified objects, including those that are already encrypted.
  • /Q: Reports only the most essential information.
  • /H: Displays files with hidden or system attributes. These files are omitted by default.
  • /K: Creates a new file encryption key for the user running CIPHER.
  • /N: Reports the current state without altering it.
  • /U: Updates the user’s file encryption key or recovery agents to the current ones.
  • /W: Removes data from available unused disk space on the entire volume. If a directory is specified, data from its unused disk space will be removed.
  • /X: Backs up the encryption key to a certificate file. If efsfile is specified, that file will be processed instead.
  • /Y: Overwrites efsfile (in combination with /X).

Options/Flags

Common Use Flags

  • /E and /D: Use /E to encrypt new files in a directory automatically or /D to decrypt them if necessary.
  • /C: Useful for checking the status before and after encryption processes to ensure correct application.
  • /W: Very important when decommissioning systems or drives to ensure that deleted data cannot be recovered.

Examples

  1. Encrypt a folder:

    CIPHER /E /S:C:\sensitive

    This command encrypts the “sensitive” folder and all subfolders on the C: drive.

  2. Decrypt a folder:

    CIPHER /D C:\sensitive

    Decrypts the “sensitive” folder on the C: drive.

  3. View encryption status:

    CIPHER /C C:\sensitive

    Displays the encryption level of the “sensitive” folder and its contents.

  4. Securely wipe free space:

    CIPHER /W:C:\

    Wipes free space on the C: drive to prevent previously deleted files from being recovered.

Common Issues

  • Permissions: Running CIPHER may require administrative privileges, especially when manipulating system folders or other users’ directories.
  • Filesystem Support: Only NTFS supports encryption via CIPHER; using it on FAT32 or exFAT can result in errors.

Integration

CIPHER can be used in conjunction with ROBOCOPY for backing up encrypted files, ensuring both security integrity and data duplication:

Example batch script to encrypt and then backup:

@echo off
CIPHER /E /S:C:\sensitive
ROBOCOPY C:\sensitive \\backupserver\sensitivebackup /MIR
echo Backup completed.
  • EFSINFO: Provides information about encrypted files.
  • FSUTIL: Manages file and volume properties, including setting and querying NTFS file system volumes.

For more information, you can refer to Microsoft’s official documentation for CIPHER and related file system management commands.