The documentation states that the encryption attribute in a directory is just a flag that indicates that all its children should be encrypted.
For a file, you can toggle encryption with
(Get-Item -Path filename).Decrypt()
(Get-Item -Path filename).Encrypt()
These methods are defined in FileInfo and don't exist in DirectoryInfo. In neither case can you set the attribute directly, i.e. this does nothing:
(Get-Item -Path filename).Attributes -= 'Encrypted'
(This type of attribute setting will work with things like Archive and ReadOnly but not things like Compressed, Encrypted, Directory, etc.)
What I would like to do is:
Is this possible from a script?
Note: I do not want to fill the directory first and then go and call Decrypt() on every file; this does not solve the problem of having all new files not be encrypted.
It isn't obvious (and you have to wonder why System.IO.DirectoryInfo instances don't expose .Encrypt() and .Decrypt() methods, as you have to wonder why attempts to remove the Encrypted attribute via .Attributes are quietly ignored), but the System.IO.File class has static .Encrypt() and .Decrypt() methods that also operate on directory paths.
Therefore:
# Create a new dir. inside an encrypted dir., which by default
# will have the Encrypted attribute set too.
$dirInfo = New-Item -Type Directory -Path $encryptedDir -Name NewUnencryptedDir
# Remove the Encrypted attribute, so that files and subdirs. created inside
# will be unencrypted.
# Note: Be sure to always pass a *full* path, because .NET's current dir.
# usually differs from PowerShell's.
[IO.File]::Decrypt($dirInfo)