File System Encryption API Reference
This section details the Application Programming Interfaces (APIs) available in Windows for implementing and managing file system encryption. These APIs empower developers to integrate robust security features into their applications, protecting sensitive data at rest.
Important: Understanding the nuances of cryptography and secure key management is crucial when working with these APIs. Consult the Security Best Practices documentation before implementation.
Core Concepts
Windows offers several layers of file system encryption:
- Encrypting File System (EFS): A feature built into Windows that allows transparent encryption of files and folders. It uses public-key cryptography to encrypt data.
- BitLocker Drive Encryption: A full-disk encryption feature that protects data on entire drives. While it operates at a lower level, specific APIs can interact with it for management.
- Data Protection API (DPAPI): A simpler API for encrypting small amounts of data, often used for application configuration or user-specific secrets.
EFS API Overview
The EFS API provides functions to:
- Encrypt and decrypt files and folders.
- Manage encryption certificates and keys.
- Query the encryption status of files.
- Handle user access and recovery policies.
Key EFS Functions
Commonly used EFS functions for file manipulation.
| Function | Description | Header File |
|---|---|---|
EncryptFile |
Encrypts a specified file. | windows.h |
DecryptFile |
Decrypts a specified file. | windows.h |
QueryOptionalNtCreateFilePolicy |
Retrieves the EFS policy for a file or directory. | windows.h |
AddUsersToFileEncryption |
Adds users to the access control list for an encrypted file. | windows.h |
RemoveUsersFromFileEncryption |
Removes users from the access control list for an encrypted file. | windows.h |
Key Management and Certificates
APIs related to managing the cryptographic keys and certificates used by EFS.
- CertEnroll COM Objects: Provide extensive capabilities for certificate enrollment, management, and retrieval.
- CryptoAPI Functions: Lower-level functions for certificate store operations, cryptographic operations, and key handling.
Key concepts include:
- Encryption Certificate: Used to encrypt the actual file data.
- Decryption Certificate: Used by authorized users to decrypt the file data.
- Recovery Agent Certificate: Used by designated recovery agents to access encrypted files if the primary user's certificate is lost.
BitLocker and DPAPI Integration
While BitLocker operates at the volume level, applications can leverage its presence:
- Check if a drive is encrypted.
- Potentially trigger user prompts for decryption if needed (though direct control is limited).
DPAPI offers a simpler interface for encrypting smaller data blobs:
DPAPI Functions
| Function | Description | Header File |
|---|---|---|
CryptProtectData |
Encrypts or signs data using DPAPI. | windows.h |
CryptUnprotectData |
Decrypts or verifies data protected by CryptProtectData. |
windows.h |
Note: DPAPI is user-specific or machine-specific by default. Ensure proper scoping and entropy management for sensitive data.
Sample Code Snippets
The following C++ snippet demonstrates basic file encryption using EFS:
#include <windows.h>
#include <iostream>
int main() {
LPCWSTR fileName = L"MySecretDocument.txt";
if (EncryptFile(fileName)) {
std::wcout << L"Successfully encrypted: " << fileName << std::endl;
} else {
DWORD error = GetLastError();
std::wcout << L"Failed to encrypt file. Error code: " << error << std::endl;
}
// ... decryption logic would follow here ...
return 0;
}