INFO: Understanding Encrypted Directories

This article was previously published under Q248723
This article has been archived. It is offered "as is" and will no longer be updated.
In Microsoft Windows 2000 and Microsoft Windows XP provides the ability to encrypt files and directories on NTFS volumes. Unlike files, the contents and streams of directories are not encrypted. Instead, when a directory is encrypted, files placed within the directory are automatically encrypted. This article explains how encryption applies to directories.
The NTFS file system in Windows 2000 and Windows XP provides Win32 programs the ability to encrypt the contents of files with the EncryptFile() function. EncryptFile() encrypts all streams in the specified file using the cryptographic service provider installed on the computer and the calling process's file encryption keys. The result is that only the account that encrypted the file may decrypt it.

Directories may be specified in calls to EncryptFile(), but the contents of directories are never encrypted, and if a directory contains additional streams, the streams are not encrypted. When EncryptFile() is called on a directory, NTFS adds the encryption attribute (FILE_ATTRIBUTE_ENCRYPTED) to the directory. Directories with the encryption attribute are referred to as "encrypted directories."

Files added to an encrypted directory are encrypted automatically if not already encrypted. Subdirectories added to an encrypted directory will also receive the encryption attribute. Files that existed in the directory before its encryption attribute was set are not affected. Although the encryption attribute causes new files to be encrypted automatically, it does not prevent files from being decrypted. They may be decrypted individually with the DecryptFile() function. Also, automatically-encrypted files are not decrypted when moved from the encrypted directory.

Because NTFS does not encrypt the contents or streams (if present) of a directory, everyone who has list access to the directory (defined by the DACL in the directory's security descriptor) can view its contents. Also, to secure a directory, you must set the DACL in the directory's security descriptor accordingly.
EFS encrypt decrypt

Article ID: 248723 - Last Review: 02/28/2014 00:29:55 - Revision: 4.1

  • Microsoft Win32 Application Programming Interface
  • kbnosurvey kbarchive kbinfo kbkernbase kbsecurity kbfileio KB248723