The file encryption key used for the DESX encryption must be stored along with the file so that the encrypting user can decrypt the file on demand. To protect the file encryption key, EFS uses an asymmetric cryptography protocol derived from public key cryptography standards, or PKCS, and licensed from RSA Technologies. This protocol involves the use of two keys:
- Public keyUsed to encrypt the FEK
- Private keyUsed to decrypt the FEK
The public key is freely available. In fact, EFS stores a copy of the public key right along with the file in a special structure called a data decryption field, or DDF. The DDF is stored using a new NTFS 5 record attribute called the Logged Utility Stream.
You don't really need to remember these acronyms. It's enough to know the following:
- The key to unlock an encrypted file is stored along with the file.
- The encrypted file must reside on an NTFS 5 volume.
- The user's private key must be available to decrypt the file.