• Wiki Home
• Forum
• Search
• ntfsprogs manpages

• What is NTFS?
• How can I access NTFS?
  • The kernel driver
  • Userspace driver (ntfsmount)
  • Userspace tools (ntfsprogs)
• Current project status
• Other Documentation

• Downloads
• Development
• RedHat/Fedora
• About us

~~CLOUD:30~~

ntfsdecrypt is a tool for decrypting files that are encrypted using NTFSs ability of encryption a.k.a $EFS. It is part of ntfsprogs as the “make extra” set of utilities.

ntfsdecrypt is not finished at this stage. If it is not working, please send the exact error message to the linux-ntfs-dev mailing list.

Once you have direct access to the volume (you are either root/disk or Administrator (if you use cygwin)) and have a private key of some user that is eligible of reading the file, or of a recovery agent that was configured at the time of the last modification of the file, it can decrypt the contents of the file.

NTFS supports a variety of ciphers for $EFS encryption. However the Windows driver only allows only the following ciphers:

• DES-X: The basic cipher on any NT4+ machine. It is a variation of DES with 128 bit keys. This is not the “standard” DES-X cipher that was created by RSA-Security and published on Usenet.
• Triple-DES: The standard variation of the basic DES. It uses 112 bit keys. You may choose this cipher manually if you installed the High Encryption Pack by Microsoft.
• AES: On the introduction of Windows XP SP1, Microsoft defaulted to this well-known cipher. As a resault of the way they have done it, people that dual boot with Windows 2000 or NT4 experienced data loss. If you do not dual boot with Windows 2000, it is highly recommended to use this cipher, as the others are pretty week these days.
• DES: It is not possible to configure for using this cipher, but it is supported internally as a fallback if some configuration error has occurred.

First of all you need to get the private key.

• The graphical way:
  1. Open the Certificates manager on Windows by one of the following methods:
     • Invoking “mmc certmgr.msc”.
     • Double clicking on the “certmgr.msc” file in the \windows\system32 directory.
  2. Find the certificate in the Personal/Certificates folder.
  3. Double click on it.
  4. Switch to the Details page.
  5. Click on “Copy to File”.
  6. In the wizard, choose “Yes, Export the private key”.
  7. Export the PFX file WITH A PASSWORD.
  8. Choose a file name.
• The command line way:
  1. “cipher /x filename.pfx”
  2. Enter a password.
• The obvious way:
  • If you need to use the recovery key, you have already created the file, so you must have it backed-up somewhere.

The password is needed for two proposes:

1. It is safer.
2. GnuTLS needs to be patched in order to work with passwordless files.

Second, you need to build ntfsdecrypt. Use the building from source HowTo document for doing that.

Note that you need to configure ntfsprogs with ”./configure –enable-crypto” and run make with the “make extra” target.

ntfsdecrypt -k /your/path/to/file_name.pfx /dev/hda5 "dir1/dir2/my crypted file.txt"

• Replace /your/path/to/file_name.pfx with the location and name of your pfx file that you exported in Windows.
• Replace /dev/hda5 with the ntfs partition!
• Replace the “dir1/dir2/my crypted file.txt” with the path on the ntfs partition to the encrypted file you want to display.
• Press return and it will ask you for your pass phrase. Just press enter at this point if the pass phrase is empty (empty passwords are not guaranteed to work).

You will now see the decrypted file contents on stdout.

If you wanted to copy them to a file, then run the above command with redirection of stdout to a file, i.e.:

ntfsdecrypt -k file.pfx /dev/hda5 encrypted.file > ~/decrypted.file

If you get the following error message, you have not entered the correct password for the pfx file:

Failed to verify the MAC (The Message Authentication Code verification failed.).
  Is the password correct?
Failed to extract the private RSA key.  Did you perhaps mistype the password?

• Try to export the private key again with a different password.
• Check the CAPS-LOCK.

If you get the following error message, you should use ntfscat instead:

Failed to open $EFS attribute: No such file or directory
Failed to obtain file encryption key.  Aborting.

If you get the following error message, you have not typed the correct file path and name.

Failed to open encrypted file.  Aborting.

• You should type the path relative to the volume root: example “dir1/dir2/my crypted file.txt” and not ”/mnt/hda5/dir1/dir2/my crypted file.txt”.
• Check that the file exists. You can use 'ntfsinfo -d /dev/hda5 -F “dir1/dir2/my crypted file.txt”' for example. (replace /dev/hda5 and the file name)
• Try to mount the volume and use “ls” or “cat” to check that the file is there.

• Empty passwords for pfx files require libgnutls version 1.2.8 or above. (As required by the configure script)
• libgcrypt prior to version 1.2.0 makes ntfsdecrypt crash. (libgnutls 1.2.8 requires libgcrypt 1.2.2+)