Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 2008

Protect Your Data with Cipher

Wield EFS power over your folders, subfolders, and files
From the January 2008 Edition
of Windows IT Pro
Mark Minasi
Windows Power Tools
InstantDoc #97506
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Ever since the debut of Windows 2000 Server, you’ve had a built-in way to protect files on your systems— Encrypting File System (EFS). The Win2K edition of EFS suffers from a few glaring security holes, but the Windows Vista and Windows XP versions are much more effective. In fact, EFS is extremely secure on a Vista box running BitLocker.

The GUIs of Vista and XP offer some access to EFS’s power, but to really see EFS’s payoff, you need to dig into EFS’s command- line interface, which is a program called Cipher. (For the purpose of this article, I’ll use the Vista version of Cipher, but XP’s Cipher is similar.) Without further ado, let’s dive into the workings of this encryption/decryption tool.

Encrypting and Decrypting
Cipher provides effective encryption and decryption functionality through its /e (encrypt) and /d (decrypt) options. To use Cipher in this way, simply follow the /e or /d option with the name of a file or folder you want to encrypt or decrypt. For example, you would use Cipher /e secret.txt to encrypt the single file secret.txt, Cipher /e secret*.txt to encrypt every file that matches that pattern, and Cipher /e C:\mysecrets to encrypt everything in the C:\mysecrets folder.

By default, however, instructing Cipher to encrypt a folder doesn’t cause the tool to encrypt files already in the folder; instead, it causes Windows to encrypt any new files in the folder. Thus, to encrypt C:\mysecrets and ensure that any files already in C:\mysecrets are encrypted, you would type two commands:

cipher /e C:\mysecrets
cipher /e C:\mysecrets\*

After you encrypt the folder, you’ll be able to read a file but other users won’t. This user-transparency is one of EFS’s greatest strengths.

What if you want Cipher to not only encrypt a folder and any new contents but to encrypt the folder, its subfolders, and files in that folder and subfolders? You would use the /s: option to specify the top-level folder. For example, to encrypt C:\mysecrets, its folders, and its subfolders, you would type

cipher /e /s:C:\mysecrets

That’s not a misprint: To work on subfolders and files, you don’t just name the top-level folder. You prefix the folder’s name with the /s: option, and you leave no space between the option and the folder name.

In practice, it’s always a good idea to encrypt folders, and it’s almost never a good idea to encrypt particular files. When EFS encrypts a file, it works from a temporary file that contains the unencrypted version of the file’s contents. It then deletes the file, but it doesn’t take the time to wipe the temporary file’s clusters clean. Therefore, it’s theoretically possible that someone could discover an encrypted file’s contents by digging up the remnants of EFS’s temporary file. The result of encrypting inside a folder is that those temporary files reside inside the folder and are therefore not susceptible to prying eyes. Probably for that reason, the Windows Server 2003 and XP version of Cipher works only on folders and ignores any file references, unless you add the /a option. (Vista’s version doesn’t seem to need the /a option.) Thus, Cipher /e secret.txt would have no effect on Windows 2003 or XP, but Cipher /e secret.txt /a would encrypt secret.txt.

The /d option works as /e does, but in reverse. Cipher /d C:\mysecrets would instruct Windows to not encrypt any newly created files in C:\mysecrets. You’d have to use Cipher /d C:\mysecrets\* to decrypt any currently encrypted files in C:\mysecrets.

Adding the /h option instructs Cipher to display the names of any hidden or system files that it has worked on. By default, Cipher encrypts or decrypts any files in a given folder, but it doesn’t report on them. Adding the /b option instructs Vista’s Cipher to stop if it runs into any errors. (By default, the tool continues encrypting or decrypting in spite of any errors it encounters.) For the Windows 2003 or XP version of Cipher, you use the /i option to do the same thing.

Valuable Tool
The ability to encrypt and decrypt files from the command line can be useful when you’re working with a low-bandwidth remote-control tool such as XP’s Telnet or Vista’s Winrs command. It’s also valuable when you want to automate the process of placing folders onto systems and simultaneously securing them. But Cipher does a lot more, as I’ll demonstrate next month.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Top 10 Email Security Challenges and Solutions

Introduction to Identity Lifecycle Manager "2"

Configuration Manager SP1 and R2 Overview

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing