Cipher command
Updated: 11/12/2023 by Computer Hope
The cipher command displays or alters the encryption of directories [files] on NTFS partitions.
Availability
Cipher is an external command that is available for the following Microsoft operating systems as cipher.exe.
Cipher syntax
Windows Vista and later syntax
CIPHER [/E | /D | /C] [/S:directory] [/B] [/H] [pathname [...]] CIPHER /K [/ECC:256|384|521] CIPHER /R:file name [/SMARTCARD] [/ECC:256|384|521] CIPHER /U [/N] CIPHER /W:directory CIPHER /X[:efsfile] [file name] CIPHER /Y CIPHER /ADDUSER [/CERTHASH:hash | /CERTFILE:file name | /USER:username] [/S:directory] [/B] [/H] [pathname [...]] CIPHER /FLUSHCACHE [/SERVER:servername] CIPHER /REMOVEUSER /CERTHASH:hash [/S:directory] [/B] [/H] [pathname [...]] CIPHER /REKEY [pathname [...]]
| /B | Abort if an error is encountered. By default, CIPHER continues executing even if errors are encountered. |
| /C | Displays information on the encrypted file. |
| /D | Decrypts the specified directories. Directories are marked so that files added afterward are not encrypted. |
| /E | /E encrypts the specified files or directories. Directories are marked so that files added afterward are encrypted. The encrypted file could become decrypted when it is modified if the parent directory is not encrypted. It is recommended you encrypt the file and the parent directory. |
| /H | Displays files with the hidden or system attributes. These files are omitted by default. |
| /K | Create new file encryption key for the user running CIPHER. If this option is chosen, all the other options are ignored. Note: By default, /K creates a certificate and key that conform to current group policy. If ECC is specified, a self-signed certificate is created with the supplied key size. |
| /N | This option only works with /U and prevents keys being updated. Using this option finds all the encrypted files on the local drives. |
| /R | /R generates an EFS recovery key and certificate, then writes them to a .PFX file (containing certificate and private key) and a .CER file (containing only the certificate). An administrator may add the contents of the .CER to the EFS recovery policy to create the recovery key for users, and import the .PFX to recover individual files. If SMARTCARD is specified, then writes the recovery key and certificate to a smart card. A .CER file is generated (containing only the certificate). No .PFX file is generated. Note: By default, /R creates a 2048-bit RSA recovery key and certificate. If ECC is specified, it must be followed by a key size of 256, 384, or 521. |
| /S | Performs the specified operation on directories in the given directory and all subdirectories. |
| /U | Tries to touch all the encrypted files on local drives. The /U switch update user's file encryption key or recovery keys to the current ones if they are changed. This option does not work with other options except /N. |
| /W | Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it's a mount point or points to a directory in another volume, the data on that volume is removed. |
| /X | Backup EFS certificate and keys into the file name. If efsfile is provided, the current user's certificate(s) used to encrypt the file are backed up. Otherwise, the user's current EFS certificate and keys are backed up. |
| /Y | Displays your current EFS certificate thumbprint on the local PC. |
| /ADDUSER | Adds a user to the specified encrypted file(s). If CERTHASH is provided, cipher searches for a certificate with this SHA1 hash. If CERTFILE is provided, cipher extracts the certificate from the file. If USER is provided, cipher tries to locate the user's certificate in Active Directory Domain Services. |
| /FLUSHCACHE | Clears the calling user's EFS key cache on the specified server. If a servername is not provided, cipher clears the user's key cache on the local machine. |
| /REKEY | Updates the specified encrypted file(s) to use the configured EFS current key. |
| /REMOVEUSER | Removes a user from the specified file(s). CERTHASH must be the SHA1 hash of the certificate to remove. |
| directory | A directory path. |
| file name | A file name without extensions. |
| pathname | Specifies a pattern, file or directory. |
| efsfile | An encrypted file path. |
Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You may use multiple directory names and wildcards. You must put spaces between multiple parameters.
Windows XP and earlier syntax
Displays or alters the encryption of directories [files] on NTFS partitions.
CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname [...]] CIPHER /W:directory CIPHER /X[:efsfile] [file name]
| /E | Encrypts the specified directories. Directories are marked so that files added afterward are encrypted. |
| /D | Decrypts the specified directories. Directories are marked so that files added afterward are not encrypted. |
| /S | Performs the specified operation on directories in the given directory and all subdirectories. |
| /A | Operation for files and directories. The encrypted file could become decrypted when it is modified if the parent directory is not encrypted. It is recommended you encrypt the file and the parent directory. |
| /I | Continues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered. |
| /F | Forces the encryption operation on all specified objects, even those that are already encrypted. Already-encrypted objects are skipped by default. |
| /Q | Reports only the most essential information. |
| /H | Displays files with the hidden or system attributes. These files are omitted by default. |
| /K | Create new file encryption key for the user running CIPHER. If this option is chosen, all the other options are ignored. |
| /W | Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it's a mount point or points to a directory in another volume, the data on that volume is removed. |
| /X | Backup EFS certificate and keys into file name. If efsfile is provided, the current user's certificate(s) used to encrypt the file are backed up. Otherwise, the user's current EFS certificate and keys are backed up. |
| dir | A directory path. |
| pathname | Specifies a pattern, file or directory. |
| efsfile | An encrypted file path. |
Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You may use multiple directory names and wildcards. You must put spaces between multiple parameters.
Cipher examples
Display the status of each of the files in the current directory.
cipher
For example, running the command above may display something similar to the example below.
C:\DOCUME~1\ADMINI~1\Desktop>cipher
Listing C:\DOCUME~1\ADMINI~1\Desktop\
New files added to this directory are not encrypted.
U 308374_harddisk_3.jpg
U cipher.txt
U FileZilla.lnk
U hope.txt
U inc
U l-gloss.pdf
U logos.gif
U Main_Page.htm
U Main_Page_files
U move
Next, if we wanted to enable encryption on a directory, type a command similar to the following command. In the following example, the hope directory is being encrypted and any file added into that directory once enabled is also encrypted.
cipher /e hope
Encrypting directories in C:\DOCUME~1\ADMINI~1\Desktop\
test [OK]
1 directory within 1 directory were encrypted.