Skip to main content

How to Encrypt or Decrypt a File in Batch Script

Protecting sensitive data is a critical aspect of security. While you could use third-party tools like 7-Zip to create password-protected archives, Windows has a powerful, built-in feature for transparent, on-disk encryption called the Encrypting File System (EFS). From a batch script, you can manage EFS using the native cipher.exe command-line utility.

This guide will teach you how to use the cipher command to encrypt files and folders, making them readable only by you. You will learn the commands to encrypt and decrypt, and most importantly, you will understand the critical concepts and risks associated with EFS, including why you must back up your encryption key.

The Core Command: cipher and the Encrypting File System (EFS)

The cipher command is the command-line interface to EFS. EFS is a feature of the NTFS file system that provides strong, transparent encryption.

  • Transparent: When you, the owner, open an encrypted file, Windows automatically decrypts it for you in the background. When you save it, it's automatically re-encrypted on the disk.
  • User-Specific: The encryption is tied to a unique certificate stored in your Windows user profile. This means that if another user on the same computer tries to open the file, they will receive an "Access is denied" error.
note

This is different from encoding (like Base64). EFS is true cryptographic protection.

Encrypting a File or Folder (/E)

To encrypt a file, you use the /E switch. This action marks the file for encryption.

Let's encrypt a single, sensitive text file.

@ECHO OFF
REM This command will fail if not run as the file owner or an admin.

ECHO Encrypting sensitive_data.txt...
cipher /E "sensitive_data.txt"
note

After running this command, you might notice the filename turns green in Windows File Explorer, which is the visual indicator for an EFS-encrypted file.

Decrypting a File or Folder (/D)

To remove encryption from a file, making it a standard, unencrypted file again, you use the /D switch. You can only do this if you are the user who originally encrypted the file (or an authorized recovery agent).

@ECHO OFF
ECHO Decrypting sensitive_data.txt...
cipher /D "sensitive_data.txt"
note

After running this, the file will return to its normal state, and the green text in File Explorer will disappear.

Key cipher Parameters Explained

  • /E: Encrypts the specified files or folders.
  • /D: Decrypts the specified files or folders.
  • /S:<dir>: Applies the action to a Specified directory and all subdirectories within it. This is how you perform a recursive operation.
  • /A: Applies the action to the files And the containing folder. When you encrypt a folder, this ensures that new files created in that folder will be automatically encrypted.
  • /C: Displays Cinformation on the encrypted file.

CRITICAL: Understanding EFS and Its Pitfalls

Using EFS is powerful, but it comes with serious risks if you don't understand how it works.

EFS is Tied to Your User Profile

The encryption key is part of your user account. If another user logs into the same computer, they cannot open your encrypted file. This is a feature. However, this also means that if your user profile becomes corrupted or is deleted, you will lose access to your own files forever.

EFS Requires an NTFS-Formatted Drive

EFS is a feature of the NTFS file system. You cannot use it on drives formatted with FAT32 or exFAT, which are common for USB flash drives and SD cards. If you copy an encrypted file to a non-NTFS drive, it will be decrypted automatically and stored in plain text.

You MUST Back Up Your Encryption Key

This is the most important warning. If you reinstall Windows, move your hard drive to a new computer without migrating your profile, or your profile becomes corrupt, your encryption key will be lost. If you lose the key, there is NO WAY to recover the data in your encrypted files. They are permanently gone.

How to Back Up Your Key:

  1. Open the Start Menu and type certmgr.msc.
  2. Navigate to Personal -> Certificates.
  3. Find the certificate with "Encrypting File System" listed in the "Intended Purposes" column.
  4. Right-click it, go to All Tasks -> Export....
  5. Follow the wizard. Crucially, choose to export the private key and protect it with a strong password.
  6. Store the resulting .pfx file in a safe place, separate from your computer (e.g., in a password manager, on a secure cloud drive, or on a USB stick).

Practical Example: A Script to Encrypt a "Secrets" Folder

This script creates a folder for sensitive documents and then applies encryption to the folder and everything inside it, ensuring that any new files added will also be encrypted.

@ECHO OFF
SETLOCAL
SET "SECRET_FOLDER=%USERPROFILE%\Documents\My Secret Files"

ECHO --- Secure Folder Setup ---
ECHO.

IF NOT EXIST "%SECRET_FOLDER%" (
    ECHO Creating the secure folder...
    MKDIR "%SECRET_FOLDER%"
)

ECHO Applying encryption to "%SECRET_FOLDER%" and its contents...
REM /E = Encrypt
REM /S = Apply to the directory and subdirectories
REM /A = Apply to files AND the directory itself
cipher /E /S:"%SECRET_FOLDER%" /A

ECHO.
ECHO [SUCCESS] The folder is now encrypted.
ECHO Any new files created in this folder will be automatically encrypted.
ECHO **REMINDER: Please back up your EFS certificate!**

ENDLOCAL

Conclusion

The cipher command provides a powerful, native way to encrypt files directly from a batch script using the Windows Encrypting File System.

  • Use cipher /E to encrypt files and folders.
  • Use cipher /D to decrypt them.
  • Use the /S and /A switches for robustly encrypting entire directory trees.

However, EFS is a high-stakes tool.

  • You must understand that it is tied to your user profile and that the loss of your encryption key means the permanent loss of your data.
  • Before using this feature for any critical files, you must back up your EFS certificate.

Table of Contents