RootData is not encrypted when you use whole-storage encryption. This was done to let the application store encryption-related information such as encrypted session keys, certificates, Access Control Lists etc. for use with whole-storage encryption.
If you want to encrypt the storage using whole-storage encryption, you can keep the whole-storage password in RootData (of course, in encrypted form). This is a good approach, for example, when you use a randomly generated key to encrypt the storage and use the password provided by the user to encrypt the storage encryption key in order to keep it in RootData.
To store the encryption key in RootData, simply encrypt it, then save it to the stream returned by OpenRootData method.
When you open the storage, you need to take the following steps: