How Encryption Keys Are Protected

When an encrypted file is saved, Windows 2000 automatically provides five levels of encryption:

  1. EFS provides the FEK, which encrypts the data in the file.

  2. EFS uses the public key in the user's EFS certificate and the public keys in the recovery agents' certificates to encrypt the FEK. The public keys and certificates are stored by default in the certificate stores for each computer. The corresponding private keys, to be used for decrypting the FEK, are stored in an encrypted form in the user profiles for the corresponding user or recovery administrator account in the RSA folder.

  3. The Protected Storage service generates the user's master key that is used to encrypt the user's private key.

  4. The Protected Storage service generates a symmetric password encryption key , derived from a hash of the file creator's credentials, that encrypts the user's master key. It also generates a second such key, the backup/restore key , that incorporates an additional hash derived from the backup/restore master key on the domain controller.

  5. The system key can be used to optionally protect all master keys as well as a variety of other secrets that are stored on computers. At system startup, Windows 2000 obtains the system key and uses it to decrypt all the private keys on the computer, including private keys that are used for EFS.