Encryption Overview (Windows Embedded CE 6.0)
When you enable encryption for a Windows Embedded CE OS design, the encryption filter intercepts all programmatic calls that attempt to modify data on the storage card. The filter encrypts the data before the file system modifies or stores the data, and records the key used to encrypt the file. The filter intercepts both read actions and write actions, to or from the storage card.
The encryption filter affects only modified data; it does not encrypt pre-existing files on the media when it is loaded.
The filter encrypts everything in a target file, including the header, on page-size blocks of 4 KB. In addition, the filter encrypts data in page-size blocks.
When the filter encrypts a file, it changes the file name, from MyFile.txt to MyFile.txt.<encryption extension>. The name change is transparent to users. The file name exposed to the file system always includes the encryption extension, but the file name returned to an application appears to be the original file name.
You can establish encryption policy by making appropriate registry settings.
The encryption filter requires the cache manager for the following reasons:
There are some multithreaded scenarios that the encryption filter does not handle, but the cache manager does.
The cache manager supports and implements file locking, but the encryption filter does not.
The performance impact for the encryption filter is significant. However, with the cache manager, this impact is almost negligible.