TABLE 1: EFS Encryption Process Summary | |
Step in Sequence | Process |
1 | The user profile loads to the Registry, if necessary. |
2 | EFS creates a log file named efsX.log in the System Volume Information subdirectory. X is a unique number in the filename (e.g., efs0.log). EFS writes to the log file when performing subsequent steps in the encryption process so that EFS can recover the file in case of system failure during the encryption process. |
3 | Microsoft Base Cryptographic Provider generates a random 128-bit FEK for the file. |
4 | EFS reads the HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash Registry value to identify the user's public key/private key pair. |
5 | EFS creates a DDF key ring with an entry for the user and associates the key ring with the file. The entry contains a copy of the FEK that the user's EFS public key encrypted. |
6 | EFS creates a DRF key ring for the file with an entry for each Recovery Agent on the system. Each entry contains a copy of the FEK that the Recovery Agent's EFS public key encrypted. |
7 | EFS creates a backup file, efsX.tmp, in the directory in which the file undergoing encryption resides. X is a unique number in the filename (e.g., efs0.tmp). |
8 | EFS places the DDF and DRF key rings in a header and adds the header to the file as the file's EFS attribute. |
9 | EFS marks the backup file as encrypted and copies the original file to the backup file. |
10 | EFS destroys the original file's contents and copies the backup to the original file. The copy operation results in the data's encryption, because the backup file is marked as encrypted. |
11 | EFS deletes the backup file. |
12 | EFS deletes the log file. |
13 | The user profile unloads from the Registry if it loaded in step 1. |