Ever since the debut of Windows 2000 Server, you’ve
had a built-in way to protect files on your systems—
Encrypting File System (EFS). The Win2K
edition of EFS suffers from a few glaring security holes, but
the Windows Vista and Windows XP versions are much
more effective. In fact, EFS is extremely secure on a Vista
box running BitLocker.
The GUIs of Vista and XP offer some access to EFS’s power,
but to really see EFS’s payoff, you need to dig into EFS’s command-
line interface, which is a program called Cipher. (For
the purpose of this article, I’ll use the Vista version of Cipher,
but XP’s Cipher is similar.) Without further ado, let’s dive into
the workings of this encryption/decryption tool.
Encrypting and Decrypting
Cipher provides effective encryption and decryption functionality
through its /e (encrypt) and /d (decrypt) options.
To use Cipher in this way, simply follow the /e or /d option
with the name of a file or folder you want to encrypt or
decrypt. For example, you would use Cipher /e secret.txt
to encrypt the single file secret.txt, Cipher /e secret*.txt to
encrypt every file that matches that pattern, and Cipher
/e C:\mysecrets to encrypt everything in the C:\mysecrets
folder.
By default, however, instructing Cipher to encrypt a
folder doesn’t cause the tool to encrypt files already in the
folder; instead, it causes Windows to encrypt any new files
in the folder. Thus, to encrypt C:\mysecrets and ensure that
any files already in C:\mysecrets are encrypted, you would
type two commands:
cipher /e C:\mysecrets
cipher /e C:\mysecrets\*
After you encrypt the folder, you’ll be able to read a file but
other users won’t. This user-transparency is one of EFS’s
greatest strengths.
What if you want Cipher to not only encrypt a folder and
any new contents but to encrypt the folder, its subfolders,
and files in that folder and subfolders? You would use the
/s: option to specify the top-level folder. For example, to
encrypt C:\mysecrets, its folders, and its subfolders, you
would type
cipher /e /s:C:\mysecrets
That’s not a misprint: To work on subfolders and files, you
don’t just name the top-level folder. You prefix the folder’s
name with the /s: option, and you leave no space between
the option and the folder name.
In practice, it’s always a good idea to encrypt folders,
and it’s almost never a good idea to encrypt particular files.
When EFS encrypts a file, it works from a temporary file that
contains the unencrypted version of the file’s contents. It
then deletes the file, but it doesn’t take the time to wipe the
temporary file’s clusters clean. Therefore, it’s theoretically
possible that someone could discover an encrypted file’s
contents by digging up the remnants of EFS’s temporary
file. The result of encrypting inside a folder is that those
temporary files reside inside the folder and are therefore
not susceptible to prying eyes. Probably for that reason,
the Windows Server 2003 and XP version of Cipher works
only on folders and ignores any file references, unless you
add the /a option. (Vista’s version doesn’t seem to need the
/a option.) Thus, Cipher /e secret.txt would have no effect
on Windows 2003 or XP, but Cipher /e secret.txt /a would
encrypt secret.txt.
The /d option works as /e does, but in reverse. Cipher
/d C:\mysecrets would instruct Windows to not encrypt
any newly created files in C:\mysecrets. You’d have to
use Cipher /d C:\mysecrets\* to decrypt any currently
encrypted files in C:\mysecrets.
Adding the /h option instructs Cipher to display the
names of any hidden or system files that it has worked on. By
default, Cipher encrypts or decrypts any files in a given folder,
but it doesn’t report on them. Adding the /b option instructs
Vista’s Cipher to stop if it runs into any errors. (By default, the
tool continues encrypting or decrypting in spite of any errors
it encounters.) For the Windows 2003 or XP version of Cipher,
you use the /i option to do the same thing.
Valuable Tool
The ability to encrypt and decrypt files from the command
line can be useful when you’re working with a
low-bandwidth remote-control tool such as XP’s Telnet or
Vista’s Winrs command. It’s also valuable when you want to
automate the process of placing folders onto systems and
simultaneously securing them. But Cipher does a lot more,
as I’ll demonstrate next month.
End of Article
Register
