New - Ncryptopenstorageprovider

The most exciting aspect of ncryptopenstorageprovider new is the ability to enable crypto-shredding at provisioning time.

Traditional data deletion requires overwriting the disk (slow and often ineffective on SSDs). With Ncrypt, when you delete a volume, the provider simply discards the DEK from the KMS. The encrypted data remains on the physical disk but is mathematically irrecoverable.

When you instantiate a new provider with the flag --crypto-shred=true, you are effectively giving yourself a "Ripley Switch" for compliance (GDPR, CCPA). Deleting the volume is instantaneous, regardless of its size. ncryptopenstorageprovider new

Since the standard CNG does not export an explicit NCRYPT_NEW_PROVIDER flag, we simulate "New" by using NCryptOpenStorageProvider with the NCRYPT_SILENT_FLAG (to avoid cached UI prompts) and immediately disposing of any existing handles in the current scope.

SECURITY_STATUS OpenNewProvider(NCRYPT_PROV_HANDLE *phProvider) 
    // Using NCRYPT_SILENT_FLAG ensures we don't inherit a dialog-based cache.
    // For a truly "New" specific context, many developers also combine this with
    // NCRYPT_MACHINE_KEY_FLAG to open a isolated machine store context.
    return NCryptOpenStorageProvider(
        phProvider,
        MS_KEY_STORAGE_PROVIDER,
        NCRYPT_SILENT_FLAG 

The provider performs an encrypted write/read of a 4KB test pattern (0xdeadbeef) to confirm the cryptographic pipeline works before returning 0 (success). The most exciting aspect of ncryptopenstorageprovider new is

Some providers (e.g., TPM provider) may require admin rights or specific user permissions. Check the return code and handle E_ACCESSDENIED gracefully.

When you create a persisted key, NCryptCreatePersistedKey only sets up the key object. You must call NCryptFinalizeKey to actually generate the key material and store it. The provider performs an encrypted write/read of a

The command registers the new provider in the system's etcd or local SQLite store (/var/lib/ncrypt/providers.db). A unique UUID (v7) is generated.

The ncryptopenstorageprovider new command creates a self-describing, encrypted storage pool where the encryption metadata is stored alongside the data, but the master keys are derived from a Hardware Security Module (HSM) or a key management service at mount time.

| Parameter | Required | Description | | :--- | :--- | :--- | | --provider-name | Yes | Unique logical name for the provider (used by mount commands). | | --backend | Yes | Storage backend for the encrypted blocks. | | --cipher | No (default: aes-256-gcm) | Authenticated encryption algorithm. | | --key-source | Yes | Source of the root encryption key. | | --auto-unseal | No (default: false) | If true, uses a trust-on-first-use (TOFU) model. | | --quota | Yes | Maximum size of the encrypted storage pool. | | --policy | No | Path to a HashiCorp Sentinel or OPA policy for access rules. |