1NTFSDECRYPT(8) System Manager's Manual NTFSDECRYPT(8)
2
3
4
6 ntfsdecrypt - decrypt or update NTFS files encrypted according to EFS
7
9 ntfsdecrypt [options] -k key.pfx device file
10
12 ntfsdecrypt decrypts a file from an unmounted device and print the de‐
13 crypted data on the standard output. It can also update an encrypted
14 file with the encryption key unchanged.
15
16 The NTFS file encryption (known as EFS) uses a two-level encryption :
17 first, the file contents is encrypted with a random symmetric key, then
18 this symmetric key is encrypted with the public keys of each of the
19 users allowed to decrypt the file (RSA public key encryptions).
20
21 Three symmetric encryption modes are currently implemented in ntfsde‐
22 crypt : DESX (a DES variant), 3DES (triple DES) and AES_256 (an AES
23 variant).
24
25 All the encrypted symmetric keys are stored along with the file in a
26 special extended attribute named "$LOGGED_UTILITY_STREAM". Usually, at
27 least two users are allowed to read the file : its owner and the recov‐
28 ery manager who is able to decrypt all the files in a company. When
29 backing up an encrypted file, it is important to also backup the corre‐
30 sponding $LOGGED_UTILITY_STREAM, otherwise the file cannot be de‐
31 crypted, even by the recovery manager. Also note that encrypted files
32 are slightly bigger than apparent, and the option "efs_raw" has to be
33 used when backing up encrypted files with ntfs-3g.
34
35 When ntfsdecrypt is used to update a file, the keys and the
36 $LOGGED_UTILITY_STREAM are kept unchanged, so a single key file has to
37 be designated.
38
39 Note : the EFS encryption is only available in professional versions of
40 Windows;
41
43 Below is a summary of all the options that ntfsdecrypt accepts. Nearly
44 all options have two equivalent names. The short name is preceded by -
45 and the long name is preceded by --. Any single letter options, that
46 don't take an argument, can be combined into a single command, e.g.
47 -fv is equivalent to -f -v. Long named options can be abbreviated to
48 any unique prefix of their name.
49
50 -i, --inode NUM
51 Display or update the contents of a file designated through its
52 inode number instead of its name.
53
54 -e, --encrypt
55 Update an existing encrypted file and get the new contents from
56 the standard input. The full public and private key file has to
57 be designated, as the symmetric key is kept unchanged, so the
58 private key is needed to extract it.
59
60 -f, --force
61 This will override some sensible defaults, such as not using a
62 mounted volume. Use this option with caution.
63
64 -k, --keyfile-name key.pfx
65 Define the file which contains the public and private keys in
66 PKCS#12 format. This file obviously contains the keys of one of
67 the users allowed to decrypt or update the file. It has to be
68 extracted from Windows in PKCS#12 format (its usual suffix is
69 .p12 or .pfx), and it is protected by a passphrase which has to
70 be typed in for the keys to be extracted. This can be the key
71 file of any user allowed to read the file, including the one of
72 the recovery manager.
73
74 -h, --help
75 Show a list of options with a brief description of each one.
76
77 -q, --quiet
78 Suppress some debug/warning/error messages.
79
80 -V, --version
81 Show the version number, copyright and license of ntfsdecrypt.
82
83 -v, --verbose
84 Display more debug/warning/error messages.
85
87 Display the contents of the file hamlet.doc in the directory Documents
88 of the root of the NTFS file system on the device /dev/sda1
89
90 ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc
91
92 Update the file hamlet.doc
93
94 ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc < new.doc
95
96
98 There are no known problems with ntfsdecrypt. If you find a bug please
99 send an email describing the problem to the development team:
100 ntfs-3g-devel@lists.sf.net
101
103 ntfsdecrypt was written by Yuval Fledel, Anton Altaparmakov and Yura
104 Pakhuchiy. It was ported to ntfs-3g by Erik Larsson and upgraded by
105 Jean-Pierre Andre.
106
108 ntfsdecrypt is part of the ntfs-3g package and is available from:
109 https://github.com/tuxera/ntfs-3g/wiki/
110
112 Read ntfs-3g(8) for details on option efs_raw,
113 ntfscat(8), ntfsprogs(8)
114
115
116
117ntfs-3g 2022.5.17 June 2014 NTFSDECRYPT(8)