NTFS Encrypting File System

[Rik Smithies]

Is it possible to programatically create an encrypted directory that
is based on a key created on the fly, and not tied to any logon
account ? This would be an area that an application could use for safe
temporary storage of sensitive data no matter who was logged on.
thanks
Rik

 

[Drew Cooper [MSFT]]

Not with EFS. Directories themselves aren't encrypted - they're marked such
that files created in them will be. Files are always encrypted in the
context of the user that created them.

Encrypting with service accounts gives nominal security at best. EFS
depends on DPAPI. DPAPI ultimately uses a user's password to encrypt a key
or, if running in system context, uses an LSA secret.