NTFSDECRYPT(8)             (June 2014)             NTFSDECRYPT(8)

          ntfsdecrypt - decrypt or update NTFS files encrypted
          according to EFS

          ntfsdecrypt [options] -k key.pfx device file

          ntfsdecrypt decrypts a file from an unmounted device and
          print the decrypted data on the standard output.  It can
          also update an encrypted file with the encryption key

          The NTFS file encryption (known as EFS) uses a two-level
          encryption : first, the file contents is encrypted with a
          random symmetric key, then this symmetric key is encrypted
          with the public keys of each of the users allowed to decrypt
          the file (RSA public key encryptions).

          Three symmetric encryption modes are currently implemented
          in ntfsdecrypt : DESX (a DES variant), 3DES (triple DES) and
          AES_256 (an AES variant).

          All the encrypted symmetric keys are stored along with the
          file in a special extended attribute named
          "$LOGGED_UTILITY_STREAM".  Usually, at least two users are
          allowed to read the file : its owner and the recovery man-
          ager who is able to decrypt all the files in a company.
          When backing up an encrypted file, it is important to also
          backup the corresponding $LOGGED_UTILITY_STREAM, otherwise
          the file cannot be decrypted, even by the recovery manager.
          Also note that encrypted files are slightly bigger than
          apparent, and the option "efs_raw" has to be used when back-
          ing up encrypted files with ntfs-3g.

          When ntfsdecrypt is used to update a file, the keys and the
          $LOGGED_UTILITY_STREAM are kept unchanged, so a single key
          file has to be designated.

          Note : the EFS encryption is only available in professional
          versions of Windows;

          Below is a summary of all the options that ntfsdecrypt
          accepts.  Nearly all options have two equivalent names.  The
          short name is preceded by - and the long name is preceded by
          --.  Any single letter options, that don't take an argument,
          can be combined into a single command, e.g.  -fv is equiva-
          lent to -f -v.  Long named options can be abbreviated to any
          unique prefix of their name.

     Page 1                  ntfs-3g 2021.8.22       (printed 5/24/22)

     NTFSDECRYPT(8)             (June 2014)             NTFSDECRYPT(8)

          -i, --inode NUM
               Display or update the contents of a file designated
               through its inode number instead of its name.

          -e, --encrypt
               Update an existing encrypted file and get the new con-
               tents from the standard input. The full public and pri-
               vate key file has to be designated, as the symmetric
               key is kept unchanged, so the private key is needed to
               extract it.

          -f, --force
               This will override some sensible defaults, such as not
               using a mounted volume.  Use this option with caution.

          -k, --keyfile-name key.pfx
               Define the file which contains the public and private
               keys in PKCS#12 format.  This file obviously contains
               the keys of one of the users allowed to decrypt or
               update the file. It has to be extracted from Windows in
               PKCS#12 format (its usual suffix is .p12 or .pfx), and
               it is protected by a passphrase which has to be typed
               in for the keys to be extracted. This can be the key
               file of any user allowed to read the file, including
               the one of the recovery manager.

          -h, --help
               Show a list of options with a brief description of each

          -q, --quiet
               Suppress some debug/warning/error messages.

          -V, --version
               Show the version number, copyright and license of

          -v, --verbose
               Display more debug/warning/error messages.

          Display the contents of the file hamlet.doc in the directory
          Documents of the root of the NTFS file system on the device

               ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc

          Update the file hamlet.doc

               ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc <

     Page 2                  ntfs-3g 2021.8.22       (printed 5/24/22)

     NTFSDECRYPT(8)             (June 2014)             NTFSDECRYPT(8)

          There are no known problems with ntfsdecrypt.  If you find a
          bug please send an email describing the problem to the
          development team:

          ntfsdecrypt was written by Yuval Fledel, Anton Altaparmakov
          and Yura Pakhuchiy.  It was ported to ntfs-3g by Erik Lars-
          son and upgraded by Jean-Pierre Andre.

          ntfsdecrypt is part of the ntfs-3g package and is available

          Read ntfs-3g(8) for details on option efs_raw,
          ntfscat(8), ntfsprogs(8)

     Page 3                  ntfs-3g 2021.8.22       (printed 5/24/22)