Platform SDK: Files and I/O |
A programmer or user may mark a directory or file as encrypted. A file so marked is encrypted by NTFS using the current encryption driver. If the file is later marked as not encrypted, it is decrypted and left in a plaintext (unsecured) state.
Directories are not themselves encrypted. Rather, by default, in an "encrypted" directory all new files in the directory are encrypted at creation. A user must specifically change the status of a new file to decrypted if the user does not want the file to be encrypted. An encrypted directory is visible. To make a directory inaccessible to other users, use the standard methods of access control.
To encrypt a file, use the CreateFile function with the FILE_ATTRIBUTE_ENCRYPTED flag. To encrypt an existing file, use the EncryptFile function. All data streams in the file are encrypted. If the file is already encrypted, EncryptFile does nothing but return a nonzero value, which indicates success. If the file is compressed, EncryptFile decompresses the file before encrypting it.
To decrypt an encrypted file, use the DecryptFile function. If the file is not encrypted, DecryptFile does nothing but return a nonzero value indicating success.
The EncryptionDisable function disables or enables encryption of the indicated directory and the files in it. It does not affect encryption of subdirectories below the indicated directory.
To retrieve the encryption status of a file, use the FileEncryptionStatus function. Alternatively, call the GetFileAttributes function and examine the FILE_ATTRIBUTE_ENCRYPTED flag in the return value.