Issue
- You need the commands to use the ESET Endpoint Encryption (EEE) Command Line Tool
- Login Operations
- Encrypted File and Text Operations
- Encrypted Folder Operations
- Virtual Disk Operations
- Shredder Operations
- Full Disk Encryption Status Operations
- Maintenance Mode
- Leaving Maintenance Mode
- Help
Details
Click to expand
The ESET Endpoint Encryption (EEE) Command Line Tool enables access to specific EEE functions through a command line interface. This can be useful if you need to automate actions within the EEE client software.
The EEE Command Line Tool is now contained as part of the client install from v4.9.2 onwards. It can be found in the %PROGRAMFILES%\ESET Endpoint Encryption\ directory. On 32-bit platforms, the executable is called dlpcmd.exe. On 64-bit platforms, the executable is called dlpcmd64.exe.
Solution
Login Operations
Log in or log out of the user's Key-File from the command line.
Login
To log in to the Key-File use the login command and supply the -p switch followed by the Key-File password as shown below.
Example usage:
DLPCmd64 login -p:Password
Logout
To log out of the Key-File see the example below:
DLPCmd64 logout
Encrypted File and Text Operations
The EEE Command Line Tool can be used to encrypt and decrypt files from a command prompt, using an EEE encryption key or a password.
The current user must have a set Key-File and be logged in to EEE. These operations will not work from an elevated command prompt, as the user's Key-File cannot be accessed from the elevated task.
There are 2 encryption methods supported:
Text mode encryption
This mode is compatible with EEE Email and Text encryption.
Upload a text file to the tool to create an encrypted copy of the contained text so that it can be included in an email or document. This text can then be decrypted by the tool or by using EEE Email or Text Encryption. You will need to specify a destination filename when using this method.
Example usage:
DLPCmd64 encrypt text keyname:"My Key" input.txt output.txt
File mode encryption
This mode is compatible with EEE File Encryption (.dlp files)
Upload any type of file to be encrypted, creating a new file with a .dlp file extension. The file can be decrypted by the tool or by using EEE File Encryption.
Example usage:
DLPCmd64 encrypt file key:80004D8300AF figures.xls
File mode decryption
The decrypt switch enables encrypted files to be decrypted. Pass the type of decryption to perform (file or text) and the source filename. Decrypting a text mode file requires an additional output filename.
Example usage:
DLPCmd64 decrypt file figures.xls.dlp
DLPCmd64 decrypt text safe.txt passwords.txt
Encrypted Folder Operations
The Command Line Tool can be used to create an encrypted folder or display the encryption status of a folder.
Create Encrypted Folder
To create an encrypted folder, pass the path of the required new folder name and either the encryption key name or encryption key serial number. To hide the folder from view when the user is not logged in, pass the -h switch.
Example usage:
DLPCmd64 folder "C:\Secure Docs" keyname:3des
DLPCmd64 folder "C:\Secure Docs" key:00000FEB0000
DLPCmd64 folder "C:\Secure Docs" key:00000FEB0000 -h
Display Encrypted Folder Status
Pass the folder path without any encryption key or serial number to view the status and type of encryption.
Example usage and output:
DLPCmd64 folder "C:\Secure Docs"
Virtual Disk Operations
The Command Line Tool can be used to perform mount and unmount operations on a virtual disk file.
Mount
Use the mount switch to enable an encrypted virtual disk to be mounted for access.
Example usage:
DLPCmd64 mount documents.dlpvdisk
Global availability
When a virtual disk is mounted through the user interface or with the mount switch detailed above, it will only be available to the current Windows User context. Software that runs as another Windows user account will not be able to access the container.
A global mount switch enables all users on the system to access the container's contents when mounted. The global mount switch is only available through the command line tool and not the normal client UI.
To enable the global mount option add a -g switch to the command.
Example usage:
DLPCmd64 mount D:\Documents\secret.dlpvdisk -g
When mounting the file globally you will need to confirm the operation interactively. To skip this, pass the additional -i switch.
Example usage:
DLPCmd64 mount D:\Documents\secret.dlpvdisk -g -i
Unmount
This command will unmount a mounted disk. You can use either the currently mounted drive letter or the path to the disk to indicate which disk you would like to unmount.
Example usage:
DLPCmd64 unmount X:
DLPCmd64 unmount D:\Documents\secret.dlpvdisk
Shredder Operations
The command line tool can be used to securely delete a file using the EEE shredder.
Example usage:
DLPCmd64 shred mydocument.docx
This will shred the file using the default options. You will be prompted to confirm that you want to shred the file, and the file will be shredded using the Cryptographic Random Number method.
To skip the confirmation and shred the file with no prompt, add the -i switch
Example usage:
DLPCmd64 shred mydocument.docx -i
To change the mode used to shred the file use one of the following switches:
|
|
Shred the file using Cryptographic Random Number Data |
-gutmann |
Shred the file using the Gutmann algorithm |
-dode |
Shred the file using US DoD 5220.22-M (8-306. /E) |
-dodece |
Shred the file using US DoD 5220.22-M (8-306. /E, C and E) |
Example usage:
DLPCmd64 shred mydocument.docx -gutmann
Full Disk Encryption Status Operations
The Full Disk Encryption status of the system disks in the workstation can be displayed using the query command. The command can also be used to obtain a JSON formatted system report containing full details of the disks on the system and additional machine details.
Display status of all disks
The Full Disk Encryption status of all connected hard disks can be displayed using the -l switch as shown below:
Example usage and output:
DLPCmd64 query -l:
Display status of a specific drive or disk
To display the encryption status of a specific drive pass the drive letter in the command:
Example usage:
DLPCmd64 query -l:C
Alternatively, to show the encryption status of a specific disk pass the disk number as shown below:
Example usage:
DLPCmd64 query -l:2
Exit codes
The query command call using the -l parameter has the following exit codes:
| Exit code | Meaning |
| 0-100 | % encrypted (applies to disk or drive specific calls) |
| -101 | Not encrypted |
| -102 | Partially encrypted |
| -103 | Fully encrypted |
| Other | Error |
Save detailed system information
To produce a JSON formatted file containing disk and system information, pass the -f switch:
Example usage:
DLPCmd64 query -f:C:\EEE_info.json
Maintenance Mode
Requirements
- ESET Endpoint Encryption client version 4.9.2 or later
- A workstation is encrypted and uses EFI boot mode to start
- The user account enabling maintenance mode must have Windows system administrator rights
- The password for the FDE Admin User
Sett up Maintenance Mode
- For additional help, run
DlpCmd64maintenance with no switches for the help display - For 32-bit systems the command is
DlpCmd - Specifying a time longer than three days or more than ten restarts will require that you confirm the choice by pressing Y. To skip the warning pass the
-nswitch - Attempting to enable Maintenance Mode three times with an incorrect password will require a system restart (and authentication used to boot) before further attempts can be made
- When calling the command line tool from a batch file, the exit code for a successful command is
0
- Configure the workstation to enable Maintenance Mode use by setting the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client]
"MaintenanceMode"=dword:00000001
- Enable Maintenance Mode using the ESET Endpoint Encryption (EEE) Command line tool with the maintenance command switch. Users can choose to use a time limit, number of reboots or both. When both options are used, whichever occurs first removes the Maintenance Mode state from the workstation.
When enabling Maintenance Mode the FDE admin password is required. This can be included on the command line, or if the value is omitted, the command will prompt the user to type the password.
Example commands:- Allow a workstation to restart four times without authentication navigate to the same directory as
DlpCmd64.exebefore entering the command. This is inC:\Program Files\ESET Endpoint Encryption\):DlpCmd64 maintenance -b:4 -p:EnterYour Password Here
- Allow a workstation to restart four times without authentication prompting the user to type the password:
DlpCmd64 maintenance -b:4 -p:
- Allow a workstation to restart for the next three hours without authentication:
DlpCmd64 maintenance -h:3 -p:EnterYour Password Here
- Allow a workstation to restart without authentication until 8:30 p.m. on March 11, 2019, or until six reboots, whichever occurs first:
DlpCmd64 maintenance -b:6 -d:3/11/2019 -t:20:30 -p:Enter Your Password Here
- Allow a workstation to restart four times without authentication navigate to the same directory as
Leaving Maintenance Mode
Maintenance Mode will be removed and normal startup behavior will return automatically after the selected number of restarts or time passes. Alternatively, you can manually remove the maintenance mode state from the system with the -r switch.
Removing maintenance mode from a system does not require a password.
Example commands:
DlpCmd64 maintenance -r
Help
To obtain help from the tool simply run without any parameters. Include the command for help about a specific command.
