When a message is encrypted, the client generates a random secret key called a bulk encryption key, which is used to encrypt the message. The recipient's public encryption key is then used to encrypt the bulk encryption key in a lockbox. The lockbox allows the random bulk encryption key to be transmitted securely to the recipients. If an encrypted message is sent to several people, each recipient's public encryption key is used to generate a different lockbox, but the message contents are encrypted only once. Encrypting a Message
When a sender encrypts a message, the client retrieves a certificate for each message recipient from the global address list. A bulk encryption key is then randomly generated and used to encrypt the contents of the message. Each recipient's public encryption key is then retrieved from the recipient's certificate and used to encrypt the bulk encryption key in a lockbox. Finally, the lockbox and the encrypted message are sent to the recipient. The following illustration shows the steps in the process.
When a recipient decrypts a message, Microsoft Exchange Server retrieves the recipient's private encryption key from the recipient's security (.epf) file. The recipient's private encryption key is then used to decrypt the lockbox. Finally, the bulk encryption key contained in the lockbox is used to decrypt the message. The following illustration shows the steps in the process.