Protected Data Format
Protected data is stored as an ASN.1 encoded BLOB. The data is formatted as CMS (certificate message syntax) enveloped content. The digital envelope contains encrypted content, recipient information that contains an encrypted content encryption key (CEK), and a header that contains information about the content, including the unencrypted protection descriptor rule string. This is shown by the following diagram.