Export (0) Print
Expand All
Expand Minimize

Encrypt method of the Win32_EncryptableVolume class

The Encrypt method of the Win32_EncryptableVolume class begins encryption of a fully decrypted volume, or resumes encryption of a partially encrypted volume. When encryption is paused or in-progress, this method behaves the same as ResumeConversion. When decryption is paused or in-progress, this method stops the decryption and begins encryption.

Note  If the drive is hardware encrypted, this method does not encrypt data. Instead, it sets the band status to "unlocked" from "always unlocked". If the band is locked, unlocked or is read-only, the drive is considered to be encrypted.

Windows Vista:  Encryption of a volume other than the currently running operating system volume is not supported.

Syntax


uint32 Encrypt(
  [in, optional]  uint32 EncryptionMethod,
  [in, optional]  uint32 EncryptionFlags
);

Parameters

EncryptionMethod [in, optional]

Type: uint32

An unsigned integer that specifies the encryption algorithm and key size used to encrypt the volume. If this parameter is greater than zero and the volume is partially or fully encrypted, EncryptionMethod must match the volume's existing encryption method. If this parameter is greater than zero and the corresponding Group Policy setting is enabled with a valid value, EncryptionMethod must match the Group Policy setting.

The default value is 1 (AES 128 WITH DIFFUSER).

ValueMeaning
Unspecified
0

Use the current Group Policy setting, if available and valid, or the default encryption method otherwise.

1

AES 128 WITH DIFFUSER

Encrypt the volume using the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer, using an AES key size of 128 bits.

2

AES 256 WITH DIFFUSER

Encrypt the volume using the Advanced Encryption Standard (AES) algorithm enhanced with a diffuser layer, using an AES key size of 256 bits.

AES_128
3

Encrypt the volume using the Advanced Encryption Standard (AES) algorithm, using an AES key size of 128 bits.

AES_256
4

AES 256

Encrypt the volume using the Advanced Encryption Standard (AES) algorithm, using an AES key size of 256 bits.

 

EncryptionFlags [in, optional]

Type: uint32

Flags that describe the encryption behavior.

Windows 7, Windows Server 2008 R2, Windows Vista Enterprise, and Windows Server 2008:  This parameter is not available.

A combination of 32 bits with following bits currently defined.

ValueMeaning
0x00000001

Perform volume encryption in data-only encryption mode when starting new encryption process. If encryption has been paused or stopped, calling the Encrypt method effectively resumes conversion and the value of this bit is ignored. This bit only has effect when either the Encrypt or EncryptAfterHardwareTest methods start encryption from the fully decrypted state, decryption in progress state, or decryption paused state. If this bit is zero, meaning that it is not set, when starting new encryption process, then full mode conversion will be performed.

0x00000002

Perform on-demand wipe of the volume free space. Calling the Encrypt method with this bit set is only allowed when volume is not currently converting or wiping and is in an "encrypted" state.

0x00010000

Perform the requested operation synchronously. The call will block until requested operation has completed or was interrupted. This flag is only supported with the Encrypt method. This flag can be specified when Encrypt is called to resume stopped or interrupted encryption or wiping or when either encryption or wiping is in progress. This allows the caller to resume synchronously waiting until the process is completed or interrupted.

 

Return value

Type: uint32

This method returns one of the following codes or another error code if it fails.

This method returns immediately. If the volume is already fully encrypted and no other errors are returned, this method returns 0.

Return code/valueDescription
S_OK
0 (0x0)

The method was successful.

E_INVALIDARG
2147942487 (0x80070057)

The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting.

FVE_E_CANNOT_ENCRYPT_NO_KEY
2150694958 (0x8031002E)

No encryption key exists for the volume. Either disable key protectors by using the DisableKeyProtectors method or use one of the following methods to specify key protectors for the volume:

Windows Vista:  When no encryption key exists for the volume, ERROR_INVALID_OPERATION is returned instead. The decimal value is 4317 and the hexadecimal value is 0x10DD.

FVE_E_CANNOT_SET_FVEK_ENCRYPTED
2150694957 (0x8031002D)

The provided encryption method does not match that of the partially or fully encrypted volume. To continue encryption, leave the EncryptionMethod parameter blank or use a value of zero.

FVE_E_CLUSTERING_NOT_SUPPORTED
2150694942 (0x8031001E)

The volume cannot be encrypted because this computer is configured to be part of a server cluster.

FVE_E_LOCKED_VOLUME
2150694912 (0x80310000)

The volume is locked.

FVE_E_POLICY_PASSWORD_REQUIRED
2150694956 (0x8031002C)

No key protectors of the type "Numerical Password" are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services. To add at least one key protector of that type, use the ProtectKeyWithNumericalPassword method.

 

Remarks

When you use this method without the second optional parameter (according to the Windows 7 and Windows Vista Enterprise definition), the method will always initiate full mode conversion in order to keep backward compatible behavior. This way the security expectation of existing applications and scripts will not be broken with the addition of the second optional parameter in Windows 8 and Windows Server 2012.

You can call GetConversionStatus to determine whether encryption is in progress and the percentage of the volume that has been encrypted.

After the volume is fully encrypted and if key protectors have been added and enabled, the protection status for the volume changes to "on".

Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).

Requirements

Minimum supported client

Windows Vista Enterprise, Windows Vista Ultimate [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

Namespace

\\.\root\CIMV2\Security\MicrosoftVolumeEncryption

MOF

Win32_encryptablevolume.mof

See also

Win32_EncryptableVolume

 

 

Community Additions

ADD
Show:
© 2014 Microsoft