Wield EFS power over your folders, subfolders, and files
Ever since the debut of Windows 2000 Server, you’ve had a built-in way to protect files on your systems— Encrypting File System (EFS). The Win2K edition of EFS suffers from a few glaring security holes, but the Windows Vista and Windows XP versions are much more effective. In fact, EFS is extremely secure on a Vista box running BitLocker.
The GUIs of Vista and XP offer some access to EFS’s power, but to really see EFS’s payoff, you need to dig into EFS’s command- line interface, which is a program called Cipher. (For the purpose of this article, I’ll use the Vista version of Cipher, but XP’s Cipher is similar.) Without further ado, let’s dive into the workings of this encryption/decryption tool.
Encrypting and Decrypting
Cipher provides effective encryption and decryption functionality through its /e (encrypt) and /d (decrypt) options. To use Cipher in this way, simply follow the /e or /d option with the name of a file or folder you want to encrypt or decrypt. For example, you would use Cipher /e secret.txt to encrypt the single file secret.txt, Cipher /e secret*.txt to encrypt every file that matches that pattern, and Cipher /e C:\mysecrets to encrypt everything in the C:\mysecrets folder.
By default, however, instructing Cipher to encrypt a folder doesn’t cause the tool to encrypt files already in the folder; instead, it causes Windows to encrypt any new files in the folder. Thus, to encrypt C:\mysecrets and ensure that any files already in C:\mysecrets are encrypted, you would type two commands:
cipher /e C:\mysecrets
cipher /e C:\mysecrets\*
After you encrypt the folder, you’ll be able to read a file but other users won’t. This user-transparency is one of EFS’s greatest strengths.
What if you want Cipher to not only encrypt a folder and any new contents but to encrypt the folder, its subfolders, and files in that folder and subfolders? You would use the /s: option to specify the top-level folder. For example, to encrypt C:\mysecrets, its folders, and its subfolders, you would type
cipher /e /s:C:\mysecrets
That’s not a misprint: To work on subfolders and files, you don’t just name the top-level folder. You prefix the folder’s name with the /s: option, and you leave no space between the option and the folder name.
In practice, it’s always a good idea to encrypt folders, and it’s almost never a good idea to encrypt particular files. When EFS encrypts a file, it works from a temporary file that contains the unencrypted version of the file’s contents. It then deletes the file, but it doesn’t take the time to wipe the temporary file’s clusters clean. Therefore, it’s theoretically possible that someone could discover an encrypted file’s contents by digging up the remnants of EFS’s temporary file. The result of encrypting inside a folder is that those temporary files reside inside the folder and are therefore not susceptible to prying eyes. Probably for that reason, the Windows Server 2003 and XP version of Cipher works only on folders and ignores any file references, unless you add the /a option. (Vista’s version doesn’t seem to need the /a option.) Thus, Cipher /e secret.txt would have no effect on Windows 2003 or XP, but Cipher /e secret.txt /a would encrypt secret.txt.
The /d option works as /e does, but in reverse. Cipher /d C:\mysecrets would instruct Windows to not encrypt any newly created files in C:\mysecrets. You’d have to use Cipher /d C:\mysecrets\* to decrypt any currently encrypted files in C:\mysecrets.
Adding the /h option instructs Cipher to display the names of any hidden or system files that it has worked on. By default, Cipher encrypts or decrypts any files in a given folder, but it doesn’t report on them. Adding the /b option instructs Vista’s Cipher to stop if it runs into any errors. (By default, the tool continues encrypting or decrypting in spite of any errors it encounters.) For the Windows 2003 or XP version of Cipher, you use the /i option to do the same thing.
The ability to encrypt and decrypt files from the command line can be useful when you’re working with a low-bandwidth remote-control tool such as XP’s Telnet or Vista’s Winrs command. It’s also valuable when you want to automate the process of placing folders onto systems and simultaneously securing them. But Cipher does a lot more, as I’ll demonstrate next month.