User EFS certificates are stored in the user's profile folder, so if the entire folder was encrypted with that key, the key would be inaccessible and the user wouldn't be able to log in! Fortunately, the important files were in use when you ran that command, and so they didn't get encrypted. The profile folder itself is also locked by the system while the user is logged on, so cipher
couldn't set the flag that makes new files in it be encrypted.
To set that flag on a user's profile folder, log off that user and log in as a different account (which must be an administrator). Open an administrative command prompt and cd
into the directory above the target user's profile folder. Run cipher /e
followed by the name of the profile folder to set the flag. For instance, I might do cipher /e Ben
while in the C:\Users
folder.
Do not add /s
! If you do, this administrator's key will be used to encrypt everything in the profile folder, and the target user will be unable to log on. That command only sets the flag; no encryption actually happens, though a key will be generated for the administrator. You can then log off the administrator and log back on as the target user.
New files in the profile folder root will be encrypted automatically. You can run your command to encrypt as much as possible as the current user, but keep in mind that not everything will be encrypted. If you really need everything encrypted, consider using something like BitLocker.
So basically, I log off the user I want to encrypt, login as a temp Admin user, encrypt their C:/USers/DIR with cipher /e . ? – Jason – 2016-06-15T20:39:58.587
Under some circumstances, I just noticed, that can result in an "in use" error. I've updated my answer to suggest running the
cipher
command on the folder whilecd
'd into the parent directory. – Ben N – 2016-06-15T20:48:08.167Question on the /s. In the documentation I've read it says it's for directory selection? Am I wrong by that? – Jason – 2016-06-16T00:28:46.503
@FrankThornton Right,
/s
recursively encrypts a directory and all its contents. We don't want that here. Rather, we just want to set the "encrypt new files" flag on a single directory without affecting existing contents. – Ben N – 2016-06-16T00:29:58.867