According to MSDN, each alternate data stream may be stored at an encrypted form (NTFS' encrypted state). The only API function I've find for setting Enc开发者_运维技巧ryption state, is EncryptFile() , which states to encrypt all data streams of a file. So is there a way of not encrypting all data streams under XP?
That MSDN article (wherever you found it) is wrong. NTFS encryption (i.e. EFS) itself stores the encryption keys in an alternate data stream $EFS. There is only one $EFS stream per file, which would make it impossible for other alternate data streams to also be encrypted (unless they also used the same symmetric key, which would go against every design principle of EFS that uses different keys for every file).
Please show the reference to that MSDN article. I'm convinced it's in error (it wouldn't be the only article published on microsoft.com that wasn't 100% accurate - the writers of these articles are human). Heck, I put material on MSDN that wasn't 100% accurate earlier in my career.
This is an important point since an ADS can contain executable code and thus can be a security threat. In practice, only a file’s $DATA attribute(s) is encrypted but in theory it is possible to encrypt other attributes. However, other attributes such as the $EFS are not encrypted. Only non-resident $DATA attributes can be encrypted. If multiple (non-resident) $DATA attributes exist in an MFT record then all these attributes are encrypted with the same key. Note, other attributes will not be encrypted, only the $DATA attributes.
精彩评论