Using cipherexe

cipher.exe is a command-line utility that can be used to display or alter encryption on folders and files in the NTFS file system. If it is used without any switches, the cipher command will display the encryption state of the current folder and all files within the folder. A number of switches can be used with the cipher command, as summarized in Table 9.7. We'll go through a few of the commands, including the /r to generate a new recovery agent, which is used in a later exercise. The syntax for the cipher command is:

cipher [{/e|/d}][/s:Folder][/a][/i][/f][/q][/h][/k][/u [ /n]][{ PathName [...]] | [/r:PathNameWithoutExtension | /w:PathName | /x:[PathName] PathNameWithoutExtension}]

Table 9.7 cipher.exe Command-Line Switches

Cipher Switch and Parameters

Description and Use

Encrypts specified folders. This will cause files added to the folder to be encrypted as well.

Decrypts specified folders.

Performs selected operation in the specified folder and all subfolders.

Performs the operation for files and directo-

Continues performing specified operation even after errors occur. By default, cipher stops when errors occur.

Forces encryption or decryption of all specified objects. By default, cipher skips files that have been encrypted or decrypted already.

Reports only the most essential information (quiet mode).

Displays files with hidden or system attributes. By default, these files are not encrypted or decrypted.

Continued

Table 9.7 cipher.exe Command-Line Switches

Cipher Switch and Parameters

Description and Use

PathName

/r.PathNameWithoutExtensions

/w.PathName

/x.[PathName] PathNameWithoutExtension

Creates a new file encryption key for the user running cipher. If this option is used, all other options are disregarded.

Updates the user's file encryption key or recovery agent's key to the current ones in all of the encrypted files on local drives. This option only works with /n.

This option only works with the /u switch. It prevents keys from being updated and this option can be used to find all the encrypted files on local drives.

This variable specifies the pattern, file, or folder in the various switches.

If you use this option, all other options for the cipher command are ignored. This switch generates a new recovery agent certificate and private key and then writes them to a filename specified in the PathNameWithoutExtensions.

If you use this option, all other options for the cipher command are ignored. This switch removes data on unused portions of a volume. The PathName option can be use to indicate any directory on the desired volume.

If you use this option, all other options for the cipher command are ignored. This switch identifies the certificates and private keys used by EFS for the currently logged on user and backs the certificates and private keys up to a file. If PathName is specified, the certificate and private key used to encrypt the file specified are backed up. Otherwise, the user's current EFS certificate and keys are backed up. Certificates and private keys are written to a file specified by the PathNameWithoutExtension parameter.

Displays help at the command prompt.

Figures 9.28 and 9.29 show the command-line options and syntax (in two screens). One common use for the cipher command is to generate an EFS recovery agent key and certificate, using the /R switch.The command to create a recovery agent key and certificate is:

cipher /R:salesdra

In this case, the file name is salesdra (Sales Data Recovery Agent), which might be used for all sales users, for example.The file will be written as salesdra.pfx, which contains both the certificate and the private key, and salesdra.cer, which contains only the certificate. An administrator can then add the contents of the .CER file to the EFS recovery policy to create the recovery agent for users. The administrator can also import the .PFX file (both key and certificate) to recover individual files. Figure 9.30 shows the process of creating a recovery agent via the cipher.exe command. Notice that you'll be prompted to create a password for the .PFX file.

Figure 9.28 cipher.exe Commands, Part 1

: C:\WIND0WSlvsystem32\cmd.i

Displays or alters the encryption of directories [files] on NIFS partitions. CIPHER l/E ! /Dl [/S:directory I [/A] t/1I l/Fi l/Ql l/til [pathname [...11 CIPHER /K CIPHER /R:filename CIPHER /U L/N] CIPHER /W:directory CIPHER /X[:efsfilel [filename]

/A Operates on files as well as directories. The encrypted file could become decrypted when it is modified if the parent directory is not encrypted- It is recommended that you encrypt the file and the parent directory.

/D Decrypts the specified directories. Directories Mill be marked so that files added afterward will not be encrypted.

/E Encrypts the specified directories. Directories will be marked so that files added afterward will be encrypted.

/F Forces the encryption operation on all specified objects, even those which are already encrypted. Already-encrypted objects are skipped by default.

/H Displays files with the hidden or system attributes. These files are omitted by default.

/I Continues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered.

sncryption key for the user running CIPHER. If isen, all the other options will be ignored, forks with /U. This will prevent keys being ised to f ind all the encrypted f iles on the

Creates this option i This option o updated. This local drives. Reports only the mos Generates an EFS rec them to a .PFX file a .CER file <contain may add the

«ate the recovery agent recover individual files. Performs the specified operation on di directory and all subdirectories. Tries to touch all the encrypted files essential information.

lery agent key and certificate, then wri~ :ontaining certificate and private key) ■ ig only the cert ificate). An adninistrati of the .CER to the EFS recovery policy ti id import the .PFX 1 •ectories in the gii

Figure 9.29 cipher.exe Commands, Part 2

Figure 9.29 cipher.exe Commands, Part 2

Figure 9.30 cipher.exe /R to Create Recovery Agent Key and Certificate

Once you've created the .PFX and .CER files, you can list the directory contents (dir command) and you should see salesdra.pfx and salesdra.cer in the directory.

Anatomy of an Encrypted File

Understanding the structure of an encrypted file will not specifically be covered on the exam. However, understanding this structure will help you when answering questions about EFS and recovery agents on the exam.

An encrypted file has three key parts, shown in Figure 9.31. These are the Data Decryption Fields (DDF), Data Recovery Fields (DRF), and the encrypted file data itself.

Figure 9.31 Structure of an Encrypted File

File Encryption Key (FEK)

Encrypted with original encryptor's public key

a

File Encryption Key (FEK)

e t

Encrypted with authorized user 1 public key

=

File Encryption Key (FEK)

F

Encrypted with authorized user 2 public key

[A Data Decryption Field exists for each authorized user

of the encrypted file.]

File Encryption Key (FEK)

a

Encrypted with public key of designated recovery agent 1

v

File Encryption Key (FEK)

R

Encrypted with public key of designated recovery agent 2

_

[A Data Recovery Field exists for each designated recovery

agent.]

Encrypted Data File

Sx%sdk*[email protected]>mw#29ld

Earlier, we discussed sharing an encrypted file, and Exercise 9.04 stepped you through setting up additional users on an encrypted file. As you can see from the file structure, the encrypted file stores each authorized user's public key encrypted in the FEK in the Data Decryption Field (DDF). An encrypted file's header will contain a unique DDF for each authorized user. This is how multiple users can share an encrypted file in Windows Server 2003. The header will always contain at least one DDF when the owner encrypts the file.

The header also contains Data Recovery Fields (DRFs) if the computer's security policy designates one or more data recovery agents (DRAs). If so, copies of the FEK are encrypted for each DRA using the DRA's public key. There will be as many DRFs as there are DRAs for each encrypted file.

Looking at the structure of an encrypted file shows how multiple users can access a file and how the data recovery agent can recover a file since all of this data is stored in the header of each encrypted file. While it seems like a lot of work for each file, using both symmetric and asymmetric keys in the process, files can be encrypted and decrypted quickly and transparently for users.

EXAM 70-298

EXAM 70-298

Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


Post a comment