INFO: Understanding Encrypted Directories

ID: Q248723

The information in this article applies to:
  • Microsoft Windows 2000

SUMMARY

Windows 2000 provides the ability to encrypt files and directories on NTFS volumes. Unlike files, the contents and streams of directories are not encrypted. Instead, when a directory is encrypted, files placed within the directory are automatically encrypted. This article explains how encryption applies to directories.


MORE INFORMATION

The NTFS file system in Windows 2000 provides Win32 programs the ability to encrypt the contents of files with the EncryptFile() function. EncryptFile() encrypts all streams in the specified file using the cryptographic service provider installed on the computer and the calling process's file encryption keys. The result is that only the account that encrypted the file may decrypt it.

Directories may be specified in calls to EncryptFile(), but the contents of directories are never encrypted, and if a directory contains additional streams, the streams are not encrypted. When EncryptFile() is called on a directory, NTFS adds the encryption attribute (FILE_ATTRIBUTE_ENCRYPTED) to the directory. Directories with the encryption attribute are referred to as "encrypted directories."

Files added to an encrypted directory are encrypted automatically if not already encrypted. Subdirectories added to an encrypted directory will also receive the encryption attribute. Files that existed in the directory before its encryption attribute was set are not affected. Although the encryption attribute causes new files to be encrypted automatically, it does not prevent files from being decrypted. They may be decrypted individually with the DecryptFile() function. Also, automatically-encrypted files are not decrypted when moved from the encrypted directory.

Because NTFS does not encrypt the contents or streams (if present) of a directory, everyone who has list access to the directory (defined by the DACL in the directory's security descriptor) can view its contents. Also, to secure a directory, you must set the DACL in the directory's security descriptor accordingly.

Additional query words: EFS encrypt decrypt

Keywords : kbFileIO kbKernBase kbWinOS2000 kbSecurity kbDSupport kbGrpKernBase
Version : WINDOWS:
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: January 5, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.