File Encryption Utility – A Wonderful Encryption Tool by Microsoft

  File Encryption is a critical part of securing your data from unauthorised access. There are many ways to encrypt your files and folders. Earlier, we had described a simple technique to encrypt your data, known as the Caesar Cipher. Have a look at File Encryption Using Caesar Cipher. Here, we shall discuss the File Encryption Utility which is available as Cipher.exe in the C:\Windows\System32 folder of your Windows Computer.



File Encryption Utility

As mentioned above, the File Encryption Utility lets you view and alter the encryption status of files and folders on NTFS patitions. You can also view existing certificates and keys and create new ones. The most interesting task performed by this program is cleanup of unused disk space, which lets you permanently remove deleted data from your drive. This feature help you ensure that the data you deleted cannot be recovered by any means. To use this program, you need to execute it from the command line.

For example, to check whether the contents of a directory are encrypted or not – navigate to that directory → type cipher → press Enter. The results would be displayed as shown below.

File Encryption Utility Microsoft File Encryption Utility Microsoft

As you can see in the first image, the cipher command lists the contents of the current directory (D:\Projects in this case) and marks them as U or E, where U means Unencrypted and E means Encrypted. Here, two directories i.e. Dynamic Libraries and Static Libraries have been marked as E while the rest are U.The second image shows how Windows Explorer marks these encrypted folders as green.

Common uses for the File Encryption Utility

Listed below are some common uses for Cipher.exe :

#1 Encrypting files and folders

To encrypt your files and folders, type CIPHER /E <filename/foldername> and press ENTER.

For Example, “D:\Projects\C#>CIPHER /E myfirstcs.sln” encrypts the file named “myfirstcs.sln”, while “D:\Projects\C#>CIPHER /E myfirstcs” encrypts the folder named “myfirstcs”. You can also use wildcards to encrypt multiple files and folders.

#2 Decrypting files and folders

To decrypt your files and folders, type CIPHER /D <filename/foldername> and press ENTER.

For Example, “D:\Projects\C#>CIPHER /D myfirstcs.sln” decrypts the file named “myfirstcs.sln”, while “D:\Projects\C#>CIPHER /D myfirstcs” decrypts the folder named “myfirstcs”. You can also use wildcards to encrypt multiple files and folders.



#3 Viewing the encryption status of all files and folders in a directory

As explained in the example above, you can use the File Encryption Utility to view a list of files and folders in the current directory and their status i.e. whether they are encrypted or not.

#4 View the data related to one or more encrypted files in a directory

You can view the details of encrypted files in a directory, like Encryption Algorithm, Key Length, Certificate Thumbprint etc. You can either specify a single file or simply view the details of all the encrypted files in a directory. This is also one of the main tasks of the File ENcryption Utility.

For example, if you type CIPHER /C, the details of all encrypted files in the current directory will be displayed. On the other hand, if you type CIPHER /C main.cpp only the details of main.cpp will be displayed. The below image illustrates this.

File Encryption Utility

#5 View your current EFS certificate thumbprint

You can view the current EFS certificate thumbprint using CIPHER /Y. Using this command shows you a hexadecimal number, as shown in the image below.

File Encryption Utility

#6 Backup EFS Certificate and keys

You can backup your EFS certificate and keys into a file using the File Encryption Utility. Type CIPHER /X and press ENTER. A new file with the name specified by you and the extension .pfx will be created in the current directory. Please note that since this is an operation related to your computer’s security, Windows will prompt you to confirm that you wish to continue. Also, you would be prompted to specify a password for the file. The image below shows a successful backup operation.

File Encryption Utility

#7 Generate a new certificate and key for use with EFS

You can use File Encryption Utility to create a new certificate and key for use with EFS. Type CIPHER /K and the newly generated thumbprint will be displayed in the command prompt window. You will also be notified by Windows to backup this new key.
NOTE : USE WITH CAUTION

#8 Generate an EFS recovery key  and certificate

You can generate an EFS recovery key and certificate using CIPHER /R:filename. By default, this command generates an 2048-bit RSA recovery key and certificate. For details, view the documentation of CIPHER command at the end of this post.



#9 Overwrite deleted data [SPECIAL FEATURE]

When you delete files or folders, the data is not initially removed from the hard disk. Instead, the space on the disk that was occupied by the deleted data is “deallocated.” After it is deallocated, the space is available for use when new data is written to the disk. Until the space is overwritten, it is possible to recover the deleted data by using a low-level disk editor or data-recovery software. The File Encryption Utility is great tool for eliminating the security issues caused by this data.

To overwrite this data so that it cannot be recovered using any method, you can use CIPHER /W:directory.

As stated in the help provided for CIPHER in the Command Prompt :-

“CIPHER /W:directory’ removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed.

Documentation for CIPHER (File Encryption Utility) in the Command Prompt for Windows 7


Displays or alters the encryption of directories [files] on NTFS partitions.

  CIPHER [/E | /D | /C] 
         [/S:directory] [/B] [/H] [pathname [...]]
  
  CIPHER /K [/ECC:256|384|521]
  
  CIPHER /R:filename [/SMARTCARD] [/ECC:256|384|521]
  
  CIPHER /U [/N]
  
  CIPHER /W:directory
  
  CIPHER /X[:efsfile] [filename]
  
  CIPHER /Y
 
  CIPHER /ADDUSER [/CERTHASH:hash | /CERTFILE:filename | /USER:username]
         [/S:directory] [/B] [/H] [pathname [...]]

  CIPHER /FLUSHCACHE [/SERVER:servername]
 
  CIPHER /REMOVEUSER /CERTHASH:hash
         [/S:directory] [/B] [/H] [pathname [...]]

  CIPHER /REKEY [pathname [...]]

    /B        Abort if an error is encountered. By default, CIPHER continues 
              executing even if errors are encountered.

    /C        Displays information on the encrypted file.

    /D        Decrypts the specified files or directories.

    /E        Encrypts the specified files or directories. Directories will be
              marked so that files added afterward will be encrypted. The
              encrypted file could become decrypted when it is modified if the
              parent directory is not encrypted. It is recommended that you
              encrypt the file and the parent directory.

    /H        Displays files with the hidden or system attributes. These files
              are omitted by default.

    /K        Creates a new certificate and key for use with EFS. If this
              option is chosen, all the other options will be ignored.

              Note: By default, /K creates a certificate and key that conform
                    to current group policy. If ECC is specified, a self-signed
                    certificate will be created with the supplied key size.

    /N        This option only works with /U. This will prevent keys being
              updated. This is used to find all the encrypted files on the
              local drives.

    /R        Generates an EFS recovery key and certificate, then writes them
              to a .PFX file (containing certificate and private key) and a
              .CER file (containing only the certificate). An administrator may
              add the contents of the .CER to the EFS recovery policy to create
              the recovery key for users, and import the .PFX to recover
              individual files. If SMARTCARD is specified, then writes the
              recovery key and certificate to a smart card. A .CER file is
              generated (containing only the certificate). No .PFX file is
              generated.

              Note: By default, /R creates an 2048-bit RSA recovery key and
                    certificate. If ECC is specified, it must be followed by a
                    key size of 256, 384, or 521.

    /S        Performs the specified operation on the given directory and all
              files and subdirectories within it.

    /U        Tries to touch all the encrypted files on local drives. This will
              update user's file encryption key or recovery keys to the current
              ones if they are changed. This option does not work with other
              options except /N.

    /W        Removes data from available unused disk space on the entire
              volume. If this option is chosen, all other options are ignored.
              The directory specified can be anywhere in a local volume. If it
              is a mount point or points to a directory in another volume, the
              data on that volume will be removed.

    /X        Backup EFS certificate and keys into file filename. If efsfile is
              provided, the current user's certificate(s) used to encrypt the
              file will be backed up. Otherwise, the user's current EFS
              certificate and keys will be backed up.

    /Y        Displays your current EFS certificate thumbnail on the local PC.

    /ADDUSER  Adds a user to the specified encrypted file(s). If CERTHASH is
              provided, cipher will search for a certificate with this SHA1
              hash. If CERTFILE is provided, cipher will extract the
              certificate from the file. If USER is provided, cipher will
              try to locate the user's certificate in Active Directory Domain
              Services.

    /FLUSHCACHE
              Clears the calling user's EFS key cache on the specified server.
              If servername is not provided, cipher clears the user's key cache
              on the local machine.

    /REKEY    Updates the specified encrypted file(s) to use the configured
              EFS current key.

    /REMOVEUSER
              Removes a user from the specified file(s). CERTHASH must be the
              SHA1 hash of the certificate to remove.

    directory A directory path.
    filename  A filename without extensions.
    pathname  Specifies a pattern, file or directory.
    efsfile   An encrypted file path.

    Used without parameters, CIPHER displays the encryption state of the
    current directory and any files it contains. You may use multiple directory
    names and wildcards. You must put spaces between multiple parameters.


Let us know your opinions regarding the discussion of the File Encryption Utility in this article. 🙂

(Visited 745 times, 1 visits today)

4 comments

  • Wow 🙂 I didn’t know about thing great tool. File Encryption Utility is truly a great program, especially if you consider its role in permanently cleaning up the deleted data

  • Nice list! this program i.e. the file encryption utility is a really useful tool. I think that you should have listed #9 as #1. In my opinion, it is the most useful task done by this microsoft utility.

    • Yeah, it’s truly the most useful functionality of this program as far as majority of Windows users are concerned. However, since the program is intended to be an encryption tool, all the encryption-related functionality had to be listed first.

Leave a Reply

Your email address will not be published. Required fields are marked *