The Windows File Management 10








Cabinets are created by a compression library that supports features such as disk spanning and multi-file compression. For additional information, see the Cabinet Software Development Kit.


File Encryption


The Encrypted File System, or EFS, was introduced in NTFS 5.0 to provide an additional level of security for files and directories. It provides cryptographic protection of individual files on NTFS file system volumes using a public-key system. Typically, the access control to file and directory objects provided by the Windows security model is sufficient to protect unauthorized access to sensitive information. However, if a laptop that contains sensitive data is lost or stolen, the security protection of that data may be compromised. Encrypting the files increases security. To determine whether a file system supports file encryption for files and directories, call the GetVolumeInformation() function and examine the FS_FILE_ENCRYPTION bit flag. Note that the following items cannot be encrypted:

  1. Compressed files
  2. System files
  3. System directories
  4. Root directories
  5. Transactions


Sparse files can be encrypted. Transactional NTFS (TxF) does not support most operations on Encrypted File System (EFS) files. The only operations TxF supports are read operations, such as ReadEncryptedFileRaw().


Handling Encrypted Files and Directories


A programmer or user may mark a directory or file as encrypted. A file marked encrypted is encrypted by the NTFS file system using the current encryption driver. If at a later date the file is marked as not encrypted, it is decrypted and left in a plain text (unsecured) state. Directories are not themselves encrypted. Rather, by default, in an "encrypted" directory all new files in the directory are encrypted at creation. A user must specifically change the status of a new file to decrypted if the user does not want the file to be encrypted. An encrypted directory is visible. To make a directory inaccessible to other users, use the standard methods of access control.

The encryption functions cannot be used with the Backup API. To encrypt a new file, use the CreateFile() function with the FILE_ATTRIBUTE_ENCRYPTED flag. To encrypt an existing file, use the EncryptFile() function. All data streams in the file are encrypted. If the file is already encrypted, EncryptFile() does nothing but returns a nonzero value, which indicates success. If the file is compressed, EncryptFile() decompresses the file before encrypting it. To decrypt an encrypted file, use the DecryptFile() function. If the file is not encrypted, DecryptFile() does nothing but returns a nonzero value indicating success. The EncryptionDisable() function disables or enables the encryption of the indicated directory and the files in it. It does not affect the encryption of subdirectories below the indicated directory. To retrieve the encryption status of a file, use the FileEncryptionStatus() function. Alternatively, call the GetFileAttributes() function and examine the FILE_ATTRIBUTE_ENCRYPTED flag in the return value. When encrypted files are copied using CopyFile() and CopyFileEx() under Windows 2000, the functions attempt to encrypt the destination file. No attempt is made to encrypt the destination file with the keys used in the encryption of the source file. If it cannot be encrypted, CopyFile() and CopyFileEx() complete the copy operation without encrypting the destination file. In Windows XP, CopyFile() and CopyFileEx() attempt to encrypt the destination file with the keys used in the encryption of the source file. If this cannot be done, both functions attempt to encrypt the destination file with default keys, as in Windows 2000. If both of these methods cannot be done, CopyFile() and CopyFileEx() fail with an ERROR_ENCRYPTION_FAILED error. If you want CopyFileEx() to complete the copy operation even when the destination file cannot be encrypted, include the COPY_FILE_ALLOW_DECRYPTED_DESTINATION flag in the value of the dwCopyFlags parameter in your call to CopyFileEx().


Encrypted Files and User Keys


To create a new key for a user, use the SetUserFileEncryptionKey() function. To add user keys to an encrypted file, use the AddUsersToEncryptedFile() function. To query the user keys for an encrypted file, use the QueryUsersOnEncryptedFile() function. To remove user keys from an encrypted file, use the RemoveUsersFromEncryptedFile() function.


Backup and Restore of Encrypted Files


The Encrypting File System (EFS) filters the opening of an encrypted file in such a way that the application that opened the file gets access to the unencrypted information, provided of course it has the proper credentials to access the file and get the key necessary to decrypt the file. Subsequent read operations on this file will yield unencrypted text. This is very desirable for typical access to encrypted files, and keeps the encryption and decryption of the files transparent. However, it hinders backup of encrypted files, because if backup is attempted with the standard file I/O calls like CreateFile(), ReadFile(), and WriteFile(), the files backed up will be the plain text version.

The raw encryption functions are provided to solve this problem. Backup applications are a primary intended user for these functions. Raw encryption functions differ from other file system functions in that open, read, and write functions allow access to the raw encrypted data streams and also allow reading/writing of the $EFS stream. Therefore, the caller of the raw encryption functions does not need access to the cryptographic keys that decrypt the file. The following raw encryption APIs are available for use with backup and restore applications:


Raw Encryption API



Open an encrypted file with access to data in encrypted format.


Close an encrypted file opened with OpenEncryptedFileRaw()


Read an encrypted file leaving its data in encrypted format


Write an encrypted file leaving its data in encrypted format


Application-defined callback for use with WriteEncryptedFileRaw()


Application-defined callback for use with ReadEncryptedFileRaw()





< Windows Files 9 | Win32 Programming | Win32 File Index | Windows Files 11 >