Encrypting File System (EFS) - Encryption Process

• When a user encrypts a file, the Encrypting File System (EFS) generates an File Encryption Key (FEK) with the help of Microsoft Crypto Provider.

• Encrypting File System (EFS) uses the File Encryption Key (FEK) to encrypt the file data. The filename, attributes, timestamps etc are not encrypted.

• Encrypting File System (EFS) passes the encrypted file over to NTFS, for storage in hard drive. It is very clear that Encrypting File System (EFS) is not a file system. Encrypting File System (EFS) is a set of functions that work in conjunction with NTFS to encrypt and decrypt files that are stored on the hard drive.

• Encrypting File System (EFS) uses symmetric (one key is used to encrypt the files) and asymmetric (two keys are used to protect the encryption key) cryptography. The file was encrypted using Symmetric encryption using the File Encryption Key (FEK). Encrypting File System (EFS) now encrypt the File Encryption Key (FEK), by using the user's public EFS key (which is an Asymmetric Encryption). The encrypted File Encryption Key (FEK) is stored along with the file in a Data Decryption Field (DDF).

• Another copy of File Encryption Key (FEK) is encrypted using public File Recovery (FR) key of the domain Administrator account and it is also kept in the Data Recovery Field (DRF). This is for data recovery. The Administrator can recover the data is the user who encrypted the data is not available and hence the Administrator account is called the Data Recovery Agent, or DRA.

• Now Encrypting File System (EFS) passes the Data Decryption Field (DDF) and Data Recovery Field (DRF) to NTFS and NTFS saves these values along with the file.