Edit

Handling Encrypted Files and Directories

  • Article

A programmer or user may mark a directory or file as encrypted. A file marked encrypted is encrypted by the NTFS file system by using the current encryption driver. If at a later date the file is marked as not encrypted, it is decrypted and left in a plain text (unsecured) state.

Directories are not themselves encrypted. Rather, by default, in an "encrypted" directory all new files in the directory are encrypted at creation. A user must specifically change the status of a new file to decrypted if the user does not want the file to be encrypted. An encrypted directory is visible. To make a directory inaccessible to other users, use the standard methods of access control.

The encryption functions cannot be used with the Backup API.

To encrypt a new file, use the CreateFile function with the FILE_ATTRIBUTE_ENCRYPTED flag. To encrypt an existing file, use the EncryptFile function. All data streams in the file are encrypted. If the file is already encrypted, EncryptFile does nothing but returns a nonzero value, which indicates success. If the file is compressed, EncryptFile decompresses the file before encrypting it.

To decrypt an encrypted file, use the DecryptFile function. If the file is not encrypted, DecryptFile does nothing but returns a nonzero value indicating success.

The EncryptionDisable function disables or enables the encryption of the indicated directory and the files in it. It does not affect the encryption of subdirectories below the indicated directory.

To retrieve the encryption status of a file, use the FileEncryptionStatus function. Alternatively, call the GetFileAttributes function and examine the FILE_ATTRIBUTE_ENCRYPTED flag in the return value.

CopyFile and CopyFileEx attempt to encrypt the destination file with the keys used in the encryption of the source file. If this cannot be done, both functions attempt to encrypt the destination file with default keys. If both of these methods cannot be done, CopyFile and CopyFileEx fail with an ERROR_ENCRYPTION_FAILED error. If you want CopyFileEx to complete the copy operation even when the destination file cannot be encrypted, include the COPY_FILE_ALLOW_DECRYPTED_DESTINATION flag in the value of the dwCopyFlags parameter in your call to CopyFileEx.