• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
NTFS Encryption Utility \windows\system32\cipher.exe

View or configure the automatic file encryption on NTFS drives. (NTFS Encryption Utility is included with Windows XP Professional only.)

To Open

Command Prompt cipher


cipher [/e|/d] [/s] [/a] [/i] [/f] [/q] [/h] [filename]

cipher /k

cipher /r:efs_file

cipher /w:dir

cipher /u [/n]


Encryption is used to prevent unauthorized access to your data, and one of the features of the NTFS filesystem (see “FAT to NTFS Conversion Utility”, earlier in this chapter) is its built-in support for automatic encryption of files and folders using “public key cryptography.” NTFS encryption is invisible and encrypted files are opened as easily as decrypted files. The difference is that other users, either those who access your computer remotely (via My Network Places, Telnet, or FTP) or those who also log into your computer under a different user account, will not be able to open or read encrypted files on your system.

Right-click on any file or folder, select Properties, and then click the Advanced button. The “Encrypt contents to secure data” option is used to instruct Windows to encrypt the selected item. If a folder is selected, all of its contents will be encrypted (you’ll be prompted about any subfolders); furthermore, any files added to that folder will be automatically encrypted as well.

The NTFS Encryption Utility is the command-line equivalent of this setting, but it adds several powerful features not normally available through Explorer. It’s also useful for automating the encryption or decryption of several files with the help of a WSH script or batch file. The NTFS Encryption Utility takes the following options:


Specifies a file, folder, or group of files (using wildcards) to compress or uncompress. Omit filename to act on the current directory.


Encrypts the specified file(s). If a folder is specified for filename, the folder will be marked so that subsequent files added to the folder will be encrypted automatically. Include the /a parameter to encrypt files already in the folder and the /s parameter to act on subdirectories as well.


Decrypts the specified file(s). If a folder is specified for filename, the folder will be marked so that subsequent files added to the folder will be decrypted automatically. Include the /a parameter to decrypt files already in the folder and the /s parameter to act on subdirectories as well.


By default, if filename is a directory, the /e or /d options act on the specified directory, but not on any subdirectories. Include /s to include all subdirectories as well. Use the /a option to encrypt the files stored in these directories.


Operates on files as well as folders. If folders and files are not both marked to be encrypted, it’s possible for an encrypted file to become decrypted when it is modified if its parent folder is not encrypted.


Ignores errors; otherwise, cipher.exe will stop when the first errors are encountered.


Forces encryption on all specified files; otherwise, files that are already encrypted will be skipped.


Quiet mode; use this option to report only the most essential information.


Includes files with hidden or system attributes set; otherwise, ignored by cipher.exe.


Generates and displays a new file encryption key (certificate thumbprint) for the current user. The /k option cannot be used with any other options.

/r :efs_file

Generates an Encrypting File System (EFS) recovery agent key and certificate, and then writes them to efs_file .pfx (containing the certificate and private key) and efs_file .cer file (containing only the certificate). Since the /r option will automatically add the appropriate file extensions, all you need to specify is the path and file prefix for efs_file. See Notes for more information.

/w :dir

“Wipes” the drive containing directory dir. When a file is deleted in Windows, only that file’s entry in the filesystem table is deleted; the actual data contained in the file remains on the hard disk until it is overwritten with another file. Wiping a drive writes over all unused portions of the disk, possibly containing deleted files so that previously deleted data cannot be recovered. The /w option does not harm existing data, nor does it affect any files currently stored in the Recycle Bin. This is an extreme form of data security and should be used on a regular basis if security is a big concern.


Updates all encrypted files on all local drives. /u is used to ensure that your file encryption key or recovery agent key are current. The /u option cannot be used with any other options, except for /n.


Modifies /u so that encrypted files are only listed, not updated. Type cipher /u /n to list all the encrypted files on your system. The /n option can only be used in conjunction with /u.

If you run the NTFS Encryption Utility without any options, it will display the encryption settings for the current directory and all of its contents.


  • Windows supports placing encrypted files in nonencrypted folders, but you’ll be warned, by default, if you try to do so. The reason for this is that, when modifying a file, some applications delete the file and then re-create it, and if the folder is not marked to encrypt new files, the once-encrypted file will become decrypted without warning.

  • If you encrypt some or all of the files on your drive and your hard disk crashes, or you encounter some other program that requires Windows to be reinstalled, you may not be able to access your previously encrypted files (assuming they’re still intact). You can avoid this by using the /r parameter to generate a “recovery agent key,” a cryptographic key that can be used to unlock files in the event of an emergency. You should be able to use this key to subsequently gain access to your encrypted files when necessary. For more information, go to Start Help and Support and search for “cryptography.”

  • The /w option, used to wipe unused data on a drive, isn’t strictly a form of encryption and can be used whether or not you employ Windows XP’s built-in encryption.

  • NTFS drives support both encryption and compression, but a given file cannot be compressed and encrypted at the same time. If you attempt to encrypt a compressed file, Windows will first uncompress the file.

  • This type of file encryption is supported on NTFS drives only. If you wish to encrypt files on a non-NTFS drive, you can either upgrade to NTFS or use a third-party file encryption utility.

  • Go to Control Panel [Appearance and Themes] Folder Options View tab and turn on the “Show encrypted or compressed NTFS files in color” option to visually differentiate such files from unencrypted, uncompressed files.

See Also

“FAT to NTFS Conversion Utility”, “NTFS Compression Utility”

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint