Most Windows 2000 and XP Professional users are aware of the ability to encrypt data at the file level, using the Encrypting File System (EFS). It's like shooting fish in a barrel to do through the graphical interface—as easy as checking a checkbox on the Avant-garde File Attributes holding canvas. Nevertheless, many Information technology pros aren't aware that encryption can as well be performed at the command line.

The cipher.exe utility is included with Microsoft's most recent NT-based operating systems. It allows y'all to do the same tasks—encrypt and decrypt—that y'all can practice through the GUI, just also allows you to do much more—all through the command line. Administrators and power users can take reward of the aught tool's power to assemble encryption information and more quickly perform encryption tasks.

This Daily Drill Down will introduce you lot to the zip tool and walk you through the steps of using its diverse switches.

Why a control line encryption tool?
What's the need for a control line encryption tool if information technology's so easy to encrypt and decrypt files using the GUI (other than the fact that some of us just like the character-based interface)? While encryption and decryption are easy attributes to set up through a file or binder's belongings sheet, at that place are other encryption-related tasks that are difficult (or impossible) to achieve through the GUI.

For example, what if a user wants to create a new file encryption key? You might call back you could generate a new primal pair by requesting a new EFS certificate. You would do this by invoking the Certificate Request Wizard via the Certificates MMC (if you're in an Active Directory domain) or via the certification dominance'due south Spider web page. But the problem with this method is that the file encryption cardinal that is generated by EFS is wrapped with the user's public cardinal during the encryption process. As a workaround, the cipher tool allows you to create a new encryption fundamental past typing cipher /g.

What if you want to encrypt files that are already encrypted? There's no way to do that through the graphical interface; you must start decrypt the file before you're allowed to change its attribute back to encrypted. With the cipher tool, yous can force encryption on all files and folders, including those that are already encrypted.

The cipher tool also can be used to permanently overwrite deleted data on a disk, in a mode like to that of "disk wiping" tools such as CyberScrub and Paragon Disk Wiper.

Tip

The original version of goose egg.exe that was released with Windows 2000 does not include the data overwrite office. This was added in a version of the zilch tool that Microsoft released in June 2001 (and included in Windows 2000 SP3). The bulldoze-wiping function is included in the cipher tool that comes with Windows XP.
Limitations of the cipher tool
Although the Null tool tin can do some things that the GUI can't, you are notwithstanding working with the aforementioned component (EFS) and must operate under some of the same limitations as when you encrypt and decrypt files the graphical manner. The Cipher control doesn't provide whatever way around the rule that a file or folder can't be simultaneously encrypted and compressed, and Cipher can't encrypt files or folders with the Read Only attribute or those with the Organization attribute. If you endeavour to exercise then, you'll get a message that admission is denied. Click here to learn more most a potential EFS security concern.

One matter that y'all tin can't do with the Zippo tool that you lot tin can do through the GUI is give other users cryptographic admission to encrypted files or folders. Windows XP and 2003 Server (dissimilar Windows 2000) allow the person who encrypts a file to add together other user accounts that enable others to view his/her encrypted information. This is washed through the Encryption Details dialog box (accessed via the Details push on the Advanced Attributes property sheet). There is no machinery for doing this with the cipher tool.

Tip

Developers can give other users cryptographic access to encrypted files or folders past using the AddUsersToEncryptedFile function.
Having cryptographic admission to a file or folder doesn't necessarily hateful you'll be able to read it; you must too accept the advisable NTFS permissions.

Using cypher to gather encryption information
The cipher command tin be used without any switches to rapidly ascertain which files and folders in a given directory are encrypted. All you lot have to exercise is switch to the desired drive or directory and type zip. The output of the control is shown in Figure A.

Figure A
The zilch control, without switches, shows the encryption status of files and folders.

Note that in Figure A, each file or folder in the root of the logical drive labeled East (where I was when I typed the command) is listed with either a U or Eastward in front of the file or folder proper noun. U indicates the file is unencrypted and E indicates that information technology is encrypted. None of the file's other attributes (Hidden, Read Only, Organisation, Compressed) are indicated.

Y'all can too see which files are encrypted at a glance in Windows Explorer, if the Option to show encrypted or compressed NTFS files in colour is enabled (this is washed by going to Tools | Folder Options | View and then by checking the appropriate checkbox). As y'all tin see in Figure B, the GUI method uses green text to mark encrypted files and blue text to mark compressed ones.

Figure B
In dissimilarity to the cipher command, the GUI shows encrypted files in a different color.

Afterward you lot encrypt a directory, you are no longer able to switch to the directory and use the zippo command to view the encryption status of files inside the directory. Instead, when you type aught, y'all will encounter a message every bit shown in Figure C beneath, indicating that new files added to the directory volition be encrypted.

Figure C
After yous encrypt a folder, y'all can't utilize the null command to view the status of files inside it.

Instead, to see which files within a specified folder are encrypted, use the syntax cipher <folder name or path>\*. For example, to see the encryption status of the files in the directory named encrypted, type the following command:
cipher encrypted\*

This returns the list of files in the directory with the U or E condition attribute for each.

Encrypting and decrypting from the command line
You lot can utilize the cipher command to encrypt and decrypt data at the command line, in individual directories or in batches.

Using the /e and /d switches
The /e and /d switches are used with the cipher command to encrypt or decrypt a directory, respectively. The syntax to encrypt a directory is cipher /e <directory name>. Information technology is of import to note that these switches simply piece of work on directories—non on individual files. This is ane of the most common mistakes fabricated in using the tool, leading to complaints that "nada doesn't piece of work." No matter how many times you lot type nil /due east <filename>, your file won't be encrypted. There is a inkling in the bulletin you go when you do this, shown below:
0 directorie(south) within 2 directorie(s) were encrypted.

As you might approximate from this message, you need to exist using the command with folder names, non file names.

Too, you tin decrypt an encrypted directory using the command zippo /d <directory name>. Once again, information technology works only with directories.

Tip

Annotation that when you encrypt a directory, if unencrypted files already exist within the directory, they will remain unencrypted. Withal, all new files added to the directory will be automatically encrypted.
Using the /southward switch
The /s switch is used in conjunction with the /e or /d switch, and makes it possible for you to perform the specified operation (encryption or decryption) on the subfolders within the folder you are encrypting or decrypting. So if you take several layers of folders and want to quickly encrypt the entire tree, use the syntax cipher /e /s: <directory name>. You tin can decrypt the subdirectories inside the directory in the same style, substituting /d for /east.

Note that yous demand to put a colon subsequently the /s switch. The results of the command will name the subdirectories that have been encrypted or decrypted, every bit shown in Figure D.

Effigy D
The /s switch in conjunction with /e or /d is used to encrypt or decrypt subdirectories within a directory.

Using the /a switch
At this signal, you lot may be wondering how to encrypt individual files. That's the function of the /a switch. Using the syntax cipher /eastward /a <directory path\filename>, you tin encrypt a single file. For example, the following command volition encrypt a file named testdoc1.txt in a subdirectory named subsub within a subdirectory named subencrypted that resides in a directory named encrypted:
Nix /e /a encrypted\subencrypted\subsub\testdoc1.txt

You can encrypt all the files in a directory by switching to that directory and typing cipher /e /a. As shown in Figure Eastward, the command will output the results, showing you the names of the files that were encrypted. You'll also see the alert reminder that encrypting individual files (rather than creating the files in encrypted folders) can leave remnants in plain text on the disk.

Figure Due east
Use the /a switch for encrypting individual files rather than directories.

You tin can also employ wildcards to encrypt (or decrypt) groups of files. For example, to decrypt all files in the working directory with names that begin with the letters "test," employ the post-obit command:
cipher /d /a exam*

Using the /i switch
By default, if an error occurs while cipher is performing an encryption or decryption operation, it will cease. Yet, you can force the operation to continue even if errors occur, past using the /i switch. The syntax for this is goose egg /e [or /d] /i.

Using the /f switch
Normally, if there are files or folders within the path being encrypted that are already encrypted, the cipher tool will skip the operation on those objects. Notwithstanding, if you want to force encryption (or decryption) of all the folders or files specified, even those that have already been encrypted, you can apply the /f switch (cipher /e [or /d] /f <directory or path>).

Managing encryption keys and recovery certificates
The goose egg utility allows you to do much more than encrypt and decrypt files. Information technology also includes a number of switches that yous can use to manage encryption keys and recovery certificates. Let's expect at those now.

Using the /k switch to create a new encryption fundamental
Y'all can utilize nix to cause a new encryption key to be generated for the user who is running the cipher utility. The syntax is naught /k. Using this switch causes the cipher tool to ignore any other switches.

When the new key has been generated, you'll be shown the "thumbprint data" for the encryption certificate, every bit shown in Figure F.

Figure F
Use the /thousand switch to generate a new encryption certificate and fundamental.

If you're non currently logged on with the account for which you desire to create the key, you can open the command prompt using the Run Every bit option in Windows XP.

Tip

To employ the Run as option, navigate to cmd.exe, ordinarily in the System32 folder, and right-click its icon (or, if you use the control prompt oftentimes, every bit I do, create a shortcut to the plan on your desktop or in your Quick Launch toolbar). Either style, right-click the icon used to open the program, and select Run As… from the context bill of fare. Select The Following User and enter the user credentials for the account you lot want to use.
Using the /u switch to update keys
What if you lot alter your encryption central? Will you still be able to access information that was encrypted with the old key? Some sources recommend that you lot keep the old keys until all files and folders that take been encrypted with them are decrypted, merely there is a style to update the user'due south file encryption key or the recovery agent fundamental to their electric current ones. To do this, use the /u switch with the cipher command (zero /u). This will update the keys for all encrypted files on local drives.

When you use this command, the tool will list the names of the files for which the keys were updated, every bit shown in Figure G.

Figure G
Use the /u switch to update encryption keys for existing encrypted files.

Using the /n switch to forestall keys from existence updated
To get a list of just the encrypted files on your system, while preventing keys from being updated, y'all need to use the /due north switch in conjunction with the /u switch (aught /u /n). Y'all'll see a listing of only those files that are encrypted (including the path for those that are non in the working directory), as shown in Figure H.

Figure H
Use the /north switch with the /u switch to become a list of all encrypted files on the organisation.

Using the /r switch to generate a new recovery agent certificate
If the recovery agent keys are compromised, you may demand to generate a new recovery certificate. You tin use the /r switch to create a new recovery amanuensis document and individual key. Y'all'll need to specify files to which the new certificate and key should be written, using the pathname without extension. The syntax is cipher /r:<pathname without extension>.

In Windows 2000, EFS will not work for computers that belong to an Active Directory domain if the recovery policy does not contain a recovery agent with a valid document. There is no recovery policy required on a standalone automobile, just the local administrator can define a policy and add a recovery agent if desired. This is done past accessing the Local Security Policy and expanding the Public Cardinal Policies node, and so right clicking the Encrypting File System node and selecting Add Data Recovery Agent.

I of the changes to EFS in Windows XP Professional and Windows Server 2003 is that a recovery agent is no longer required in the domain environment. Consequently, configuring an empty recovery policy for the domain volition crusade EFS to be disabled for Windows 2000 clients, just not for XP and Windows 2003 Server clients. An empty policy is one that does non have any recovery agents added to it.

Overwriting unallocated space with the /w switch
The /w switch is a new addition to the cipher tool, not included in the original version released with Windows 2000. It is used to overwrite the unallocated space on the disk in order to remove lingering trace data that may be left there from deleted files. It is particularly important to exercise this subsequently encrypting existing files, considering of the temporary plainly text files created during the process.

The syntax is cipher /westward:<pathname>. When you run this control, you'll be advised to close all other applications. This is because the cipher tool doesn't lock the drive, so other programs can still write to the drive. Closing every bit many applications as possible will maximize the amount of trace data that volition be overwritten past the cipher tool.

If the disk is large, yous may discover that it takes quite some time to practice the overwrite operation. The utility will show y'all the progress of the overwriting as information technology takes place, as shown in Figure I.

Figure I
The /w switch is used to overwrite data in unallocated space on the disk.

A final note
There are a few other tasks that tin can be performed with the nil tool. Some of these are standard command line switches, such every bit the /? switch, used to display helpful information about using the tool, and the /h switch, which tin can be used to display files with subconscious or system attributes (although system files cannot exist encrypted, you tin can encrypt hidden files).