{ "mode": "man", "parameter": "ntfsdecrypt", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ntfsdecrypt/8/json", "generated": "2026-05-30T07:08:21Z", "synopsis": "ntfsdecrypt [options] -k key.pfx device file", "sections": { "NAME": { "content": "ntfsdecrypt - decrypt or update NTFS files encrypted according to EFS\n", "subsections": [] }, "SYNOPSIS": { "content": "ntfsdecrypt [options] -k key.pfx device file\n", "subsections": [] }, "DESCRIPTION": { "content": "ntfsdecrypt decrypts a file from an unmounted device and print the decrypted data on the\nstandard output. It can also update an encrypted file with the encryption key unchanged.\n\nThe NTFS file encryption (known as EFS) uses a two-level encryption : first, the file con‐\ntents is encrypted with a random symmetric key, then this symmetric key is encrypted with the\npublic keys of each of the users allowed to decrypt the file (RSA public key encryptions).\n\nThree symmetric encryption modes are currently implemented in ntfsdecrypt : DESX (a DES vari‐\nant), 3DES (triple DES) and AES256 (an AES variant).\n\nAll the encrypted symmetric keys are stored along with the file in a special extended attri‐\nbute named \"$LOGGEDUTILITYSTREAM\". Usually, at least two users are allowed to read the\nfile : its owner and the recovery manager who is able to decrypt all the files in a company.\nWhen backing up an encrypted file, it is important to also backup the corresponding\n$LOGGEDUTILITYSTREAM, otherwise the file cannot be decrypted, even by the recovery manager.\nAlso note that encrypted files are slightly bigger than apparent, and the option \"efsraw\"\nhas to be used when backing up encrypted files with ntfs-3g.\n\nWhen ntfsdecrypt is used to update a file, the keys and the $LOGGEDUTILITYSTREAM are kept\nunchanged, so a single key file has to be designated.\n\nNote : the EFS encryption is only available in professional versions of Windows;\n", "subsections": [] }, "OPTIONS": { "content": "Below is a summary of all the options that ntfsdecrypt accepts. Nearly all options have two\nequivalent names. The short name is preceded by - and the long name is preceded by --. Any\nsingle letter options, that don't take an argument, can be combined into a single command,\ne.g. -fv is equivalent to -f -v. Long named options can be abbreviated to any unique prefix\nof their name.\n", "subsections": [ { "name": "-i --inode", "content": "Display or update the contents of a file designated through its inode number instead\nof its name.\n", "flag": "-i", "long": "--inode" }, { "name": "-e --encrypt", "content": "Update an existing encrypted file and get the new contents from the standard input.\nThe full public and private key file has to be designated, as the symmetric key is\nkept unchanged, so the private key is needed to extract it.\n", "flag": "-e", "long": "--encrypt" }, { "name": "-f --force", "content": "This will override some sensible defaults, such as not using a mounted volume. Use\nthis option with caution.\n", "flag": "-f", "long": "--force" }, { "name": "-k --keyfile-name", "content": "Define the file which contains the public and private keys in PKCS#12 format. This\nfile obviously contains the keys of one of the users allowed to decrypt or update the\nfile. It has to be extracted from Windows in PKCS#12 format (its usual suffix is .p12\nor .pfx), and it is protected by a passphrase which has to be typed in for the keys to\nbe extracted. This can be the key file of any user allowed to read the file, including\nthe one of the recovery manager.\n", "flag": "-k", "long": "--keyfile-name" }, { "name": "-h --help", "content": "Show a list of options with a brief description of each one.\n", "flag": "-h", "long": "--help" }, { "name": "-q --quiet", "content": "Suppress some debug/warning/error messages.\n", "flag": "-q", "long": "--quiet" }, { "name": "-V --version", "content": "Show the version number, copyright and license of ntfsdecrypt.\n", "flag": "-V", "long": "--version" }, { "name": "-v --verbose", "content": "Display more debug/warning/error messages.\n", "flag": "-v", "long": "--verbose" } ] }, "EXAMPLES": { "content": "Display the contents of the file hamlet.doc in the directory Documents of the root of the\nNTFS file system on the device /dev/sda1\n\nntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc\n\nUpdate the file hamlet.doc\n\nntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc < new.doc\n\n", "subsections": [] }, "BUGS": { "content": "There are no known problems with ntfsdecrypt. If you find a bug please send an email de‐\nscribing the problem to the development team:\nntfs-3g-devel@lists.sf.net\n", "subsections": [] }, "AUTHORS": { "content": "ntfsdecrypt was written by Yuval Fledel, Anton Altaparmakov and Yura Pakhuchiy. It was port‐\ned to ntfs-3g by Erik Larsson and upgraded by Jean-Pierre Andre.\n", "subsections": [] }, "AVAILABILITY": { "content": "ntfsdecrypt is part of the ntfs-3g package and is available from:\nhttps://github.com/tuxera/ntfs-3g/wiki/\n", "subsections": [] }, "SEE ALSO": { "content": "Read ntfs-3g(8) for details on option efsraw,\nntfscat(8), ntfsprogs(8)\n\n\n\nntfs-3g 2021.8.22 June 2014 NTFSDECRYPT(8)", "subsections": [] } }, "summary": "ntfsdecrypt - decrypt or update NTFS files encrypted according to EFS", "flags": [ { "flag": "-i", "long": "--inode", "arg": null, "description": "Display or update the contents of a file designated through its inode number instead of its name." }, { "flag": "-e", "long": "--encrypt", "arg": null, "description": "Update an existing encrypted file and get the new contents from the standard input. The full public and private key file has to be designated, as the symmetric key is kept unchanged, so the private key is needed to extract it." }, { "flag": "-f", "long": "--force", "arg": null, "description": "This will override some sensible defaults, such as not using a mounted volume. Use this option with caution." }, { "flag": "-k", "long": "--keyfile-name", "arg": null, "description": "Define the file which contains the public and private keys in PKCS#12 format. This file obviously contains the keys of one of the users allowed to decrypt or update the file. It has to be extracted from Windows in PKCS#12 format (its usual suffix is .p12 or .pfx), and it is protected by a passphrase which has to be typed in for the keys to be extracted. This can be the key file of any user allowed to read the file, including the one of the recovery manager." }, { "flag": "-h", "long": "--help", "arg": null, "description": "Show a list of options with a brief description of each one." }, { "flag": "-q", "long": "--quiet", "arg": null, "description": "Suppress some debug/warning/error messages." }, { "flag": "-V", "long": "--version", "arg": null, "description": "Show the version number, copyright and license of ntfsdecrypt." }, { "flag": "-v", "long": "--verbose", "arg": null, "description": "Display more debug/warning/error messages." } ], "examples": [ "Display the contents of the file hamlet.doc in the directory Documents of the root of the", "NTFS file system on the device /dev/sda1", "ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc", "Update the file hamlet.doc", "ntfsdecrypt -k foo.key /dev/sda1 Documents/hamlet.doc < new.doc" ], "see_also": [ { "name": "ntfs-3g", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ntfs-3g/8/json" }, { "name": "ntfscat", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ntfscat/8/json" }, { "name": "ntfsprogs", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/ntfsprogs/8/json" } ] }