Microsoft KB Archive/248723

From BetaArchive Wiki

INFO: Understanding Encrypted Directories


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional


Windows 2000 provides the ability to encrypt files and directories on NTFS volumes. Unlike files, the contents and streams of directories are not encrypted. Instead, when a directory is encrypted, files placed within the directory are automatically encrypted. This article explains how encryption applies to directories.


The NTFS file system in Windows 2000 provides Win32 programs the ability to encrypt the contents of files with the EncryptFile() function. EncryptFile() encrypts all streams in the specified file using the cryptographic service provider installed on the computer and the calling process's file encryption keys. The result is that only the account that encrypted the file may decrypt it.

Directories may be specified in calls to EncryptFile(), but the contents of directories are never encrypted, and if a directory contains additional streams, the streams are not encrypted. When EncryptFile() is called on a directory, NTFS adds the encryption attribute (FILE_ATTRIBUTE_ENCRYPTED) to the directory. Directories with the encryption attribute are referred to as "encrypted directories."

Files added to an encrypted directory are encrypted automatically if not already encrypted. Subdirectories added to an encrypted directory will also receive the encryption attribute. Files that existed in the directory before its encryption attribute was set are not affected. Although the encryption attribute causes new files to be encrypted automatically, it does not prevent files from being decrypted. They may be decrypted individually with the DecryptFile() function. Also, automatically-encrypted files are not decrypted when moved from the encrypted directory.

Because NTFS does not encrypt the contents or streams (if present) of a directory, everyone who has list access to the directory (defined by the DACL in the directory's security descriptor) can view its contents. Also, to secure a directory, you must set the DACL in the directory's security descriptor accordingly.

Additional query words: EFS encrypt decrypt

Keywords : kbFileIO kbKernBase kbOSWin2000 kbSecurity _IK kbGrpDSKernBase
Issue type : kbinfo
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Serv kbwin2000ServSearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro kbWinAdvServSearch

Last Reviewed: October 23, 2000
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.