CIPHER Command Guide - Display and Alter File Encryption in Windows

The cipher command is a Windows Command Prompt utility that displays or alters the encryption of directories and files on NTFS volumes using Encrypting File System (EFS). Use cipher /e to encrypt files, cipher /d to decrypt, and cipher /w to securely wipe deleted data from free disk space, providing file-level security independent of BitLocker full-disk encryption.

Whether you're protecting sensitive business documents, securing personal files on shared computers, or implementing defense-in-depth security strategies in enterprise environments, the cipher command provides granular control over file encryption without requiring third-party tools. IT professionals and security-conscious users rely on cipher for data protection, secure file deletion, and regulatory compliance with data security requirements.

This comprehensive guide covers cipher syntax, encryption and decryption operations, secure wiping, practical examples for common scenarios, troubleshooting tips, related security commands, and frequently asked questions. By the end, you'll confidently use EFS encryption from the command line for file security, compliance, and data protection tasks.

What Is the Cipher Command?

The cipher command has been part of Windows since Windows 2000, providing command-line access to Encrypting File System (EFS), a feature of NTFS file system that provides file-level encryption. Unlike BitLocker which encrypts entire drives, EFS encrypts individual files and folders, with encryption tied to specific user accounts.

EFS encryption is transparent to authorized users—encrypted files appear and function normally when accessed by the user who encrypted them. However, other users (including administrators) cannot access encrypted files without the encryption keys, providing strong protection even on shared systems or if the physical drive is removed and accessed from another computer.

The cipher command provides three main functions:

Display encryption status – View which files and folders are encrypted
Encrypt/decrypt files – Apply or remove EFS encryption
Secure wipe – Overwrite free space to permanently erase deleted file remnants

The command works in Command Prompt (CMD) and PowerShell, and is available in Windows Pro, Enterprise, and Education editions. Windows Home editions do not support EFS encryption, so the cipher command has limited functionality on Home editions (secure wipe still works).

Cipher Command Syntax

The basic syntax for the cipher command is:

cipher [/e | /d] [/s:dir] [/a] [/i] [/f] [/q] [/h] [/k] [/u] [/w:dir] [pathname [...]]

Parameters and Switches

Parameter	Description
`/e`	Encrypt the specified directories and files
`/d`	Decrypt the specified directories and files
`/s:dir`	Perform operation on specified directory and all subdirectories
`/a`	Process files in addition to directories (files are not encrypted by default without this)
`/i`	Continue even if errors occur (ignore errors)
`/f`	Force encryption/decryption even if files are already encrypted/decrypted
`/q`	Quiet mode (report only essential information)
`/h`	Display files with hidden or system attributes
`/k`	Create new encryption key for the user
`/u`	Update user's file encryption key to current key (after key recovery)
`/w:dir`	Securely wipe deleted data from free space in specified directory
`pathname`	Specify files or directories to process (wildcards supported)
(no parameters)	Display encryption status of current directory

Important Usage Notes

Encryption applies to directories by default: When you encrypt a directory, the encryption attribute is set on the folder. New files created in that folder are automatically encrypted. To encrypt existing files, use /a.

User-specific encryption: Files encrypted by one user cannot be accessed by other users (even administrators) without the encryption certificate and private key.

Backup encryption certificates: Always export and securely store EFS certificates. If the certificate is lost, encrypted files become permanently inaccessible.

Understanding Encrypting File System (EFS)

EFS provides per-file and per-folder encryption using public-key cryptography:

File Encryption Key (FEK) – Random symmetric key that encrypts file contents
User's Public Key – Encrypts the FEK and stores it with the file
User's Private Key – Stored in user profile, decrypts the FEK to access files

Key benefits of EFS:

User-level protection – Files are protected even if an attacker has physical drive access
Transparent operation – Encrypted files appear normal to authorized users
Automatic encryption – New files in encrypted folders are automatically encrypted
Selective encryption – Encrypt only sensitive files, not entire drives

Limitations:

Windows Pro+ required – Not available in Home editions
NTFS only – FAT32, exFAT, and other file systems don't support EFS
Network limitations – Encrypted files are decrypted when accessed over network shares (use WebDAV or properly configured shares)
Certificate dependency – Losing encryption certificate means losing access to files

Practical Cipher Command Examples

Display Encryption Status of Current Directory

View encryption status of files and folders in the current location:

cipher

Output shows encryption state with indicators:

Listing C:\Documents\
New files added to this directory will not be encrypted.

U file1.txt
U file2.docx
E encrypted-file.pdf
U subfolder

No encrypted files were found.

Legend: E = Encrypted, U = Unencrypted. The status line indicates whether new files will be automatically encrypted.

Encrypt a Directory

Encrypt a folder so all future files are automatically encrypted:

cipher /e C:\Confidential

This sets the encryption attribute on the folder. New files created in C:\Confidential will be automatically encrypted. Existing files remain unencrypted unless you use /a.

Encrypt Directory and All Existing Files

Encrypt a folder and all existing files within it:

cipher /e /a C:\Confidential

The /a parameter encrypts existing files in addition to setting the folder encryption attribute. This ensures complete protection of all current and future files.

Encrypt Directory and Subdirectories Recursively

Encrypt a directory tree including all subdirectories:

cipher /e /s:C:\Confidential

The /s:dir parameter processes all subdirectories recursively. Combine with /a to encrypt existing files: cipher /e /a /s:C:\Confidential.

Decrypt a File or Directory

Remove EFS encryption from a file:

cipher /d C:\Confidential\file.txt

Decrypt a directory and all contents:

cipher /d /a /s:C:\Confidential

Decryption returns files to normal unencrypted state. Only the user who encrypted the files (or a designated recovery agent) can decrypt them.

Securely Wipe Free Disk Space

Overwrite deleted file remnants on drive C:

cipher /w:C:\

This securely erases deleted files by overwriting free space with random data three times (0x00, 0xFF, random). Warning: This operation can take hours on large drives and generates significant disk activity.

Use case: Before selling, donating, or disposing of a computer, use cipher /w to ensure deleted sensitive files cannot be recovered with forensic tools.

Encrypt Specific File Types

Encrypt all Word documents in a directory:

cipher /e /a C:\Documents\*.docx

Wildcards (* and ?) are supported for selective encryption based on file patterns.

Display Detailed Encryption Information

Show encryption status including hidden and system files:

cipher /h C:\Windows

The /h parameter reveals encryption status of files normally hidden from view. Useful for security audits of system directories.

Force Encryption Refresh

Re-encrypt files that are already encrypted (useful after certificate recovery):

cipher /f /e /a C:\Confidential

The /f parameter forces the operation even if files are already in the desired state. Useful for updating encryption keys or troubleshooting.

Quiet Mode for Scripting

Encrypt files with minimal output for batch scripts:

cipher /e /a /q C:\Confidential

Quiet mode (/q) suppresses verbose output, showing only essential information. Ideal for automated encryption tasks in scripts.

Common Use Cases for the Cipher Command

Protect sensitive business documents – Encrypt folders containing financial records, contracts, HR documents, or trade secrets to prevent unauthorized access even if the computer is stolen or the drive is removed.
Secure personal files on shared computers – Use EFS to encrypt personal documents, tax records, or private files on family computers, ensuring other users cannot access your files.
Regulatory compliance – Meet data protection requirements (HIPAA, GDPR, PCI-DSS) by encrypting files containing personal information, health records, or payment card data at rest.
Secure file deletion before device disposal – Use cipher /w:C:\ before selling, donating, or recycling computers to permanently erase deleted files and prevent data recovery.
Protect files on laptops and portable devices – Encrypt sensitive files on laptops to ensure data protection if the device is lost or stolen, adding a layer beyond BitLocker drive encryption.
Selective encryption for performance – Encrypt only sensitive files instead of entire drives using BitLocker, maintaining better performance for non-sensitive data while protecting critical files.
Multi-user environment security – On systems with multiple user accounts, encrypt files to ensure other users (including administrators) cannot access your encrypted data.
Backup encryption verification – Verify files are encrypted before backing up to cloud storage or external drives, ensuring encrypted state is maintained in backups.
Development environment protection – Encrypt source code, API keys, credentials, or proprietary algorithms in development directories to protect intellectual property.
Forensic countermeasures – Use cipher /w to wipe free space after deleting sensitive files, preventing recovery via forensic tools or file carving techniques.
Enterprise data classification – Implement encryption policies where folders labeled "Confidential" or "Restricted" are automatically encrypted via scripts or Group Policy.
Temporary file cleanup – Securely wipe temp directories after processing sensitive data to ensure no remnants remain: cipher /w:C:\Temp.

Tips and Best Practices

Backup encryption certificates immediately – After first use of EFS, export your encryption certificate: certmgr.msc → Personal → Certificates → Export. Store securely offline. Without this, encrypted files become permanently inaccessible if the user profile is lost.
Test certificate backup and restore – Verify you can import the certificate on another system and access encrypted files. Certificate corruption or loss is the most common cause of permanent data loss with EFS.
Use with BitLocker for defense-in-depth – Combine EFS (file-level) with BitLocker (full-disk) encryption. BitLocker protects against offline attacks; EFS protects against other users and online attacks.
Encrypt folders, not individual files – Encrypting folders ensures all files (including temporary files created by applications) are automatically encrypted. Encrypting only specific files may leave temporary copies unencrypted.
Beware of network share decryption – Files accessed over standard network shares are decrypted in transit. Use WebDAV or properly configured shares with EFS support for remote access to maintain encryption.
Monitor for certificate expiration – EFS certificates can expire. Check certificate expiration in certmgr.msc and renew before expiration to avoid access issues.
Designate recovery agents – In enterprise environments, configure designated recovery agent accounts that can decrypt files if users lose access. Configure via Group Policy.
Consider performance impact – EFS adds minimal CPU overhead (typically <5%), but may impact performance on older systems or during heavy I/O operations. Test performance before encrypting large datasets.
Secure wipe takes time – cipher /w: operations can take many hours on large drives. Run during maintenance windows or overnight. The process generates significant disk activity that may slow other operations.
Use /a to encrypt existing files – Common mistake: cipher /e C:\Folder encrypts only the folder attribute. Use cipher /e /a C:\Folder to encrypt existing files in the folder.
Check edition compatibility – EFS is not available in Windows Home editions. Verify systems support EFS before relying on cipher command encryption features.
Document encrypted locations – Maintain documentation of which folders and files are encrypted for disaster recovery and business continuity planning.

Troubleshooting Common Issues

"Access is denied" Error

Problem: Cipher command fails with "Access is denied" when attempting to encrypt or decrypt files.

Cause: Insufficient permissions, file in use by another process, or attempting to encrypt system files protected by Windows.

Solution:

Run Command Prompt as Administrator
Close applications that may have files open
Check file permissions with icacls filename and ensure you have full control
For system files, some are protected and cannot be encrypted even with admin rights
Verify the file is on an NTFS volume (EFS requires NTFS)

Prevention: Always run CMD as Administrator when managing encryption. Close files before encrypting/decrypting them.

Encrypted Files Are Inaccessible

Problem: Encrypted files show "Access is denied" even to the user who encrypted them.

Cause: User profile corruption, missing encryption certificate, or certificate private key loss.

Solution:

Check if EFS certificate exists: certmgr.msc → Personal → Certificates (look for certificate with "Encrypting File System" purpose)
If certificate is missing, restore from backup if available
If certificate exists but files are still inaccessible, the private key may be missing or corrupted
Try cipher /u to update encryption keys
As last resort, use recovery agent account to decrypt (if configured)

Prevention: Backup EFS certificates immediately after first use. Test backups regularly. Store certificate backups securely offline.

"The specified file could not be encrypted"

Problem: Cipher reports some files cannot be encrypted.

Cause: File system doesn't support EFS (FAT32, exFAT), file is compressed (NTFS compression incompatible with encryption), file is a system file, or file is in use.

Solution:

Verify the volume uses NTFS: fsutil fsinfo volumeinfo C:
Decompress files before encrypting: Right-click → Properties → Advanced → Clear "Compress contents"
Close applications using the file
Some system files cannot be encrypted even with admin rights
Move files to NTFS volume if on FAT32/exFAT

Prevention: Use NTFS for volumes where encryption is needed. Don't attempt to encrypt and compress simultaneously (choose one).

Encrypted Files Become Decrypted Unexpectedly

Problem: Files lose encryption attribute without manual decryption.

Cause: Files copied to non-NTFS volumes, moved to unencrypted folders with "inherit parent folder attributes" behavior, or copied by applications that don't preserve encryption.

Solution:

Verify files are on NTFS volumes
When moving files, use robocopy with /COPY:DATSOU to preserve attributes
Encrypt destination folders before moving files to maintain encryption
Check application settings for "preserve attributes" options

Prevention: Use robocopy for file operations to preserve encryption. Encrypt destination folders before moving encrypted files.

Cipher /w Takes Extremely Long

Problem: cipher /w: operation runs for many hours or appears stuck.

Cause: Normal behavior for large drives. Cipher /w writes to all free space three times (0x00, 0xFF, random data), which is time-consuming on drives with hundreds of GB of free space.

Solution:

Allow adequate time—estimate 1-2 hours per 100GB of free space
Monitor disk activity in Task Manager or Resource Monitor to verify progress
Run during maintenance windows or overnight
Consider using alternative tools like sdelete for faster secure deletion
For modern SSDs, consider TRIM commands instead (SSDs handle deletion differently)

Prevention: Schedule cipher /w during off-hours. For quick secure deletion of specific file locations, delete files then run cipher /w on smaller directories instead of entire drives.

Certificate Export Fails or Is Incomplete

Problem: Exporting EFS certificate produces errors or the exported certificate doesn't work when restored.

Cause: Exporting without private key, certificate corruption, or insufficient permissions to access private key.

Solution:

In certmgr.msc, right-click certificate → All Tasks → Export
Critical: Select "Yes, export the private key" option
Use PFX format (not CER) to include private key
Set a strong password to protect the private key
Test the export by importing on another system and accessing encrypted files

Prevention: Always export with private key in PFX format. Test backups. Store securely offline with password documentation.

Related Commands

attrib – Basic File Attributes

While cipher manages EFS encryption, attrib manages basic file attributes (read-only, hidden, archive, system). Both are file property commands but operate on different attributes.

When to use cipher: For security via encryption and secure file deletion.

When to use attrib: For basic file attributes, file hiding, read-only protection, or archive bit management.

Example: attrib +h confidential.txt hides a file (obscurity), while cipher /e confidential.txt encrypts it (security).

compact – NTFS Compression

compact manages NTFS file compression. Important: NTFS compression and encryption are mutually exclusive—files cannot be both compressed and encrypted simultaneously.

When to use compact: To save disk space on non-sensitive files.

When to use cipher: To secure sensitive files (security over space savings).

Example: compact /c C:\Data compresses files to save space, cipher /e C:\Confidential encrypts files for security.

icacls – NTFS Permissions

icacls manages NTFS file permissions (read, write, execute, full control). Use in combination with cipher for defense-in-depth: icacls restricts who can access files normally, cipher protects files from offline access or physical drive removal.

Example workflow: icacls C:\Confidential /grant Executives:(OI)(CI)F grants permission, then cipher /e /a /s:C:\Confidential adds encryption.

BitLocker – Full Disk Encryption

BitLocker encrypts entire drives, while EFS (cipher) encrypts individual files and folders. Use both for maximum protection:

BitLocker: Protects against offline attacks (stolen laptop, drive removal)
EFS (cipher): Protects against other users and provides file-level granularity

Example: Enable BitLocker on C:, then use cipher /e on sensitive folders for user-specific protection.

certmgr.msc – Certificate Management

certmgr.msc (Certificate Manager) provides GUI access to certificates including EFS certificates. Use for exporting, importing, viewing, and managing encryption certificates.

Workflow: Use cipher to encrypt files, then certmgr.msc to export EFS certificate for backup.

sdelete – Sysinternals Secure Delete

sdelete (from Sysinternals Suite) securely deletes individual files or free space, similar to cipher /w but with more control and better performance on SSDs.

Example: sdelete -z C:\ (zero free space, faster than cipher /w) or sdelete -p 7 file.txt (7-pass secure file deletion, DoD standard).

Advantage: Faster than cipher /w, supports more secure deletion patterns, better SSD support.

Frequently Asked Questions

What does cipher /e do?

cipher /e encrypts the specified directories using Encrypting File System (EFS). When applied to a folder, new files created in that folder are automatically encrypted. Use /a to encrypt existing files: cipher /e /a C:\Folder. Only the user who encrypted files (or recovery agents) can access them.

How do I decrypt files with cipher?

Use cipher /d to decrypt files or folders. Example: cipher /d C:\Folder decrypts the folder, or cipher /d /a /s:C:\Folder decrypts the folder and all files recursively. Only the user who encrypted the files or a designated recovery agent can decrypt them.

What is cipher /w used for?

cipher /w:C:\ securely wipes deleted file remnants from free disk space by overwriting with 0x00, 0xFF, and random data. This prevents recovery of deleted files using forensic tools. Use before disposing of computers or after deleting sensitive data. Warning: This operation can take many hours on large drives.

Can I encrypt files on Windows Home?

No, Encrypting File System (EFS) is only available in Windows Pro, Enterprise, Education, and Server editions. Windows Home does not support EFS encryption via the cipher command. However, cipher /w (secure wipe) works on all Windows editions.

What happens if I lose my EFS certificate?

If you lose your EFS certificate and private key, encrypted files become permanently inaccessible unless a recovery agent was configured. Critical: Always export and backup EFS certificates immediately after first use: certmgr.msc → Personal → Certificates → Export (with private key, PFX format).

How do I backup my encryption certificate?

Open certmgr.msc → Personal → Certificates → Find certificate with "Encrypting File System" purpose → Right-click → All Tasks → Export → Select "Yes, export the private key" → PFX format → Set strong password → Save to secure offline location. Test the backup by importing on another system.

Is cipher encryption the same as BitLocker?

No. Cipher uses EFS for file-level encryption (individual files/folders, user-specific). BitLocker provides full-disk encryption (entire drives, computer-specific). Use both for defense-in-depth: BitLocker protects against offline attacks, EFS protects against other users and provides granular control.

Can other users access my encrypted files?

No. Files encrypted with EFS can only be accessed by the user who encrypted them (using their certificate and private key) and designated recovery agents. Even administrators cannot access encrypted files without the encryption certificate. Physical drive removal doesn't bypass EFS protection.

Why does cipher /e not encrypt existing files?

By default, cipher /e only sets the encryption attribute on folders, causing new files to be automatically encrypted. To encrypt existing files, use the /a parameter: cipher /e /a C:\Folder. This encrypts both the folder and all current files within it.

How long does cipher /w take?

cipher /w: duration depends on free space amount. Estimate 1-2 hours per 100GB of free space, as the command writes to all free space three times (0x00, 0xFF, random). On drives with terabytes of free space, this can take many hours. Plan accordingly and run during maintenance windows.

Can I encrypt files on network drives?

EFS encryption applies to NTFS volumes. Network shares can support EFS, but encrypted files are typically decrypted in transit unless the share is configured for EFS (requires WebDAV or properly configured SMB shares). Best practice: Encrypt files locally before copying to network storage.

What's the difference between cipher and attrib +h?

attrib +h hides files (obscurity, not security—files are accessible if you know the path). cipher /e encrypts files (security—files are cryptographically protected and inaccessible without the encryption key). Hiding provides minimal protection; encryption provides strong security.

Quick Reference Card

Command	Purpose	Example Use Case
`cipher`	Display encryption status	Audit which files are encrypted
`cipher /e C:\Folder`	Encrypt folder (new files)	Auto-encrypt future documents
`cipher /e /a C:\Folder`	Encrypt folder + existing files	Fully protect folder contents
`cipher /e /a /s:C:\Data`	Encrypt directory tree	Recursive encryption
`cipher /d /a C:\Folder`	Decrypt folder + files	Remove encryption
`cipher /w:C:\`	Secure wipe free space	Before device disposal
`cipher /k`	Create new encryption key	After certificate recovery
`cipher /u`	Update encryption keys	Refresh after profile issues

Try the Cipher Command in Our Simulator

Practice the cipher command safely in our Windows Command Simulator. No installation required—run cipher, cipher /e, and other examples in your browser. Perfect for learning, testing commands before running them on production systems, or demonstrating EFS encryption functionality in training environments.

Visit the Commands Reference for a full list of supported Windows CMD commands, including file management, security utilities, and system administration tools.

Summary

The cipher command is essential for managing file encryption and secure deletion in Windows Command Prompt. Use cipher /e to encrypt directories and files with EFS, cipher /d to decrypt, and cipher /w: to securely wipe deleted data from free disk space. Always use /a to encrypt existing files in addition to setting folder encryption attributes.

EFS provides user-level, file-by-file encryption that protects sensitive data even if an attacker has physical access to the drive. Unlike BitLocker which encrypts entire volumes, EFS offers granular control for selective encryption of confidential files while maintaining normal performance for non-encrypted data.

Master cipher for data protection tasks like securing sensitive documents, meeting regulatory compliance requirements, protecting files on shared or portable systems, and securely erasing data before device disposal. The command's integration with Windows user accounts and certificates makes it powerful for both individual file protection and enterprise data security policies.

Critical reminder: Always export and securely backup EFS certificates immediately after first use. Loss of the encryption certificate and private key results in permanent data loss. Test certificate backups regularly and store them securely offline separate from encrypted data.