Encryption Overview (Windows Embedded CE 6.0)


When you enable encryption for a Windows Embedded CE OS design, the encryption filter intercepts all programmatic calls that attempt to modify data on the storage card. The filter encrypts the data before the file system modifies or stores the data, and records the key used to encrypt the file. The filter intercepts both read actions and write actions, to or from the storage card.

The encryption filter affects only modified data; it does not encrypt pre-existing files on the media when it is loaded.

The filter encrypts everything in a target file, including the header, on page-size blocks of 4 KB. In addition, the filter encrypts data in page-size blocks.

When the filter encrypts a file, it changes the file name, from MyFile.txt to MyFile.txt.<encryption extension>. The name change is transparent to users. The file name exposed to the file system always includes the encryption extension, but the file name returned to an application appears to be the original file name.

You can establish encryption policy by making appropriate registry settings.

A file system must mask off any file attribute bits that it does not support in MyFSD_CreateFileW and MyFSD_SetFileAttributesW.

To include encryption in your OS design, set the SYSGEN_ENCFILT environment variable during build.

Use the GetFileAttributes or the GetFileAttributesEx function to obtain the encryption attribute of a file or directory.

The encryption filter requires the cache manager for the following reasons:

  1. There are some multithreaded scenarios that the encryption filter does not handle, but the cache manager does.
  2. The cache manager supports and implements file locking, but the encryption filter does not.
  3. The performance impact for the encryption filter is significant. However, with the cache manager, this impact is almost negligible.

Community Additions