2
I feel confuse, I read from many technical doc from Microsoft and wiki. The FEK is generated for each file, and store in the file headers.
But refer to this blog windows-7-how-to-use-cipher-exe-a-critical-win-7-security-tool The blogger say they are stored in Security Account Manager / Credential Manager.
What exactly happen in Windows 7? I google and read Microsoft technet, most of them only based on EFS of Windows 2000-XP.
1
The File Encryption Key (emphasis on the File part) is and always has been stored in the file. That's confirmed by this MS document from the XP era, dated June 2006. Windows 7 was released in 2009.
After all, different files can have different users allowed to decrypt them. You can add extra users to an already-encrypted file with the /adduser mode of the cipher utility. There is one FEK for each file, but it can be present multiple times in each file, encrypted differently with the key for each approved user. It would be strange to keep per-file information in the SAM, which deals with things like users.
The blogger is probably getting the FEKs and user keys confused. (Remember, the file contents are encrypted with the FEK, which is stored encrypted by one or more user keys.) Windows 2000 did indeed store a copy of each user's key as an LSA secret, which are readable offline. Also, the Administrator account was by default a Data Recovery Agent in Windows 2000 and therefore could decrypt any EFS-protected file. Those issues are now addressed.
Ben N
Posted 2017-01-20T02:37:06.227
Reputation: 32 973