Encrypt or Decrypt files and folders.
Without parameters cipher will display the encryption state of the current folder and files. NTFS volumes only.

      CIPHER [/e | /d] [/s:directory] [/b] [/h] [pathname [...]]

  Display Cipher information:
      CIPHER /c [/s:directory] [/b] [/h] [pathname [...]]

  Create a new Certificate/Key:
      CIPHER /k

  New Recovery agent certificate:
      CIPHER /r:filename [/smartcard]

  Touch encrypted files to Update encryption key:
      CIPHER /u [/n]

  Remove data:
      CIPHER /w:directory

  Backup Keys:
      CIPHER /x[:efsfile] [filename]

  Display current EFS cert:
      CIPHER /y

  Add user to the file:
      CIPHER /adduser [/certhash:hash | /certfile:filename] [/s:directory] [/b] [/h] [pathname [...]]

  Remove user from the file:
      CIPHER /removeuser /certhash:hash [/s:directory] [/b] [/h] [pathname [...]]

  Update the files to use a new EFS key:
      CIPHER /rekey [pathname [...]]


   /b    Abort if an error is encountered. By default, cipher continues to run even if errors are encountered.

   /c    Display information about the encrypted file.

   /d    Decrypt the files or directories.

   /e    Encrypt the files or directories.
         Directories are marked so that files that are added to the folder later are encrypted too.

   /h    Display files with hidden or system attributes.
         By default, these files are not encrypted or decrypted.

   /k    Create a new certificate and key for use with Encrypting File System (EFS) files.
         If /k is specified, all other parameters are ignored.

   /r:filename [/smartcard]
         Generate an EFS recovery agent key and certificate, and write them to a .pfx file
         (containing certificate and private key) and a .cer file (containing only the certificate).
         If /smartcard is specified, it writes the recovery key and certificate to a smart card, and no .pfx file is generated.

         Performs the operation in the folder and all subfolders.

   /u [/n]  Find all encrypted files on the local drive(s).
         If used with the /n parameter, no updates are made. If used without /n, /u compares the user's file encryption key
         or the recovery agent's key to the current ones, and updates them if they have changed. This parameter works only with /n.

         Remove data from available unused disk space on the entire volume.
         If you use the /w parameter, all other parameters are ignored.
         The directory specified can be located anywhere in a local volume. If it is a mount point or points to a
         directory in another volume, the data on that volume is removed.

   /x[:efsfile] [FileName]
         Back up the EFS certificate and keys to the specified file name.
         If used with :efsfile, /x backs up the user's certificate(s) that were used to encrypt the file.
         Otherwise, the user's current EFS certificate and keys are backed up.

   /y    Display your current EFS certificate thumbnail on the local computer.

   /adduser [/certhash:hash 	/certfile:filename] /rekey
         Update the specified encrypted file(s) to use the currently configured EFS key.

   /removeuser /certhash:hash
 	       Remove a user from the specified file(s).
         The Hash provided for /certhash must be the SHA1 hash of the certificate to remove.

         A pattern, file, or folder.

   /?    Help

It is recommended that you always encrypt both the file and the folder in which it resides, this prevents an encrypted file from becoming decrypted when it is modified.

An administrator can add the contents of a .cer file to the EFS recovery policy to create the recovery agent for users, and then import the .pfx file to recover individual files.

Cipher cannot encrypt files that are marked as read-only.
Cipher will accept multiple folder names and wildcard characters.
You must separate multiple parameters with at least one space.


Display the encryption status of each of the files and subdirectories in the current directory, Encrypted files and directories will be prefixed with an E. Unencrypted files and directories will be prefixed with a U:


Enable encryption for the folder 'SS64' (assuming it exists below the current directory):


List encrypted files in the reports folder:

CIPHER c:\reports\*

Encrypt the Reports folder and all subfolders:

CIPHER /e /s:C:\reports

Back up the certificate and private key currently used to encrypt and decrypt EFS files to a file:

CIPHER /x c:\myefsbackup

To overwrite all deleted data on the C: volume, run cipher /w against any folder on that volume e.g. C:\demo:

Quit all programs, then
CIPHER /W:c:\demo

This will cause all deallocated space on drive C: to be overwritten. If C:\demo is a Mount Point or points to a folder on another volume, all deallocated space on that volume will be cleaned. Data that isn’t allocated to files or folders is overwritten. The data is permanently removed. It can take a long time if you overwrite a large amount of space.

“He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself” ~ Thomas Paine

Related commands:

FSUTIL - File and Volume utilities.
CMDKEY - Manage stored usernames/passwords.
Q814599 - Use Cipher.exe to overwrite deleted data in Windows Server 2003
Equivalent PowerShell: ConvertTo-SecureString - Convert to a secure string.

Copyright © 1999-2022
Some rights reserved