Encrypt method of the Win32_EncryptableVolume class
The Encrypt method of the Win32_EncryptableVolume class begins encryption of a fully decrypted volume, or resumes encryption of a partially encrypted volume. When encryption is paused or in-progress, this method behaves the same as ResumeConversion. When decryption is paused or in-progress, this method stops the decryption and begins encryption.
Note
If the drive is hardware encrypted, this method does not encrypt data. Instead, it sets the band status to "unlocked" from "always unlocked". If the band is locked, unlocked or is read-only, the drive is considered to be encrypted.
Windows Vista: Encryption of a volume other than the currently running operating system volume is not supported.
Syntax
uint32 Encrypt(
[in, optional] uint32 EncryptionMethod,
[in, optional] uint32 EncryptionFlags
);
Parameters
-
EncryptionMethod [in, optional]
-
Type: uint32
An unsigned integer that specifies the encryption algorithm and key size used to encrypt the volume. If this parameter is greater than zero and the volume is partially or fully encrypted, EncryptionMethod must match the volume's existing encryption method. If this parameter is greater than zero and the corresponding Group Policy setting is enabled with a valid value, EncryptionMethod must match the Group Policy setting.
For a list of possible EncryptionMethod values, see the GetEncryptionMethod method.
Default value for Windows 7 or below is: 1 (AES_128_WITH_DIFFUSER).
Default value for Windows 8, Windows 8.1 or Windows 10, version 1507 is: 3 (AES_128).
Default value for Windows 10, version 1511 or above is: 6 (XTS_AES_128).
-
EncryptionFlags [in, optional]
-
Type: uint32
Flags that describe the encryption behavior.
Windows 7, Windows Server 2008 R2, Windows Vista Enterprise and Windows Server 2008: This parameter is not available.
A combination of 32 bits with following bits currently defined.
Value Meaning - 0x00000001
Perform volume encryption in data-only encryption mode when starting new encryption process. If encryption has been paused or stopped, calling the Encrypt method effectively resumes conversion and the value of this bit is ignored. This bit only has effect when either the Encrypt or EncryptAfterHardwareTest methods start encryption from the fully decrypted state, decryption in progress state, or decryption paused state. If this bit is zero, meaning that it is not set, when starting new encryption process, then full mode conversion will be performed. - 0x00000002
Perform on-demand wipe of the volume free space. Calling the Encrypt method with this bit set is only allowed when volume is not currently converting or wiping and is in an "encrypted" state. - 0x00010000
Perform the requested operation synchronously. The call will block until requested operation has completed or was interrupted. This flag is only supported with the Encrypt method. This flag can be specified when Encrypt is called to resume stopped or interrupted encryption or wiping or when either encryption or wiping is in progress. This allows the caller to resume synchronously waiting until the process is completed or interrupted.
Return value
Type: uint32
This method returns one of the following codes or another error code if it fails.
This method returns immediately. If the volume is already fully encrypted and no other errors are returned, this method returns 0.
| Return code/value | Description |
|---|---|
|
The method was successful. |
|
The EncryptionMethod parameter is provided but is not within the known range or does not match the current Group Policy setting. |
|
No encryption key exists for the volume. Either disable key protectors by using the DisableKeyProtectors method or use one of the following methods to specify key protectors for the volume:
|
|
The provided encryption method does not match that of the partially or fully encrypted volume. To continue encryption, leave the EncryptionMethod parameter blank or use a value of zero. |
|
The volume cannot be encrypted because this computer is configured to be part of a server cluster. |
|
The volume is locked. |
|
No key protectors of the type "Numerical Password" are specified. The Group Policy requires a backup of recovery information to Active Directory Domain Services. To add at least one key protector of that type, use the ProtectKeyWithNumericalPassword method. |
Remarks
When you use this method without the second optional parameter (according to the Windows 7 and Windows Vista Enterprise definition), the method will always initiate full mode conversion in order to keep backward compatible behavior. This way the security expectation of existing applications and scripts will not be broken with the addition of the second optional parameter in Windows 8 and Windows Server 2012.
You can call GetConversionStatus to determine whether encryption is in progress and the percentage of the volume that has been encrypted.
After the volume is fully encrypted and if key protectors have been added and enabled, the protection status for the volume changes to "on".
Managed Object Format (MOF) files contain the definitions for Windows Management Instrumentation (WMI) classes. MOF files are not installed as part of the Windows SDK. They are installed on the server when you add the associated role by using the Server Manager. For more information about MOF files, see Managed Object Format (MOF).
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista Enterprise, Windows Vista Ultimate [desktop apps only] |
| Minimum supported server |
Windows Server 2008 [desktop apps only] |
| Namespace |
Root\CIMV2\Security\MicrosoftVolumeEncryption |
| MOF |
|
See also