Encryption Overview (Windows Embedded CE 6.0)

  • Article

1/6/2010

When you enable encryption for a Windows Embedded CE OS design, the encryption filter intercepts all programmatic calls that attempt to modify data on the storage card. The filter encrypts the data before the file system modifies or stores the data, and records the key used to encrypt the file. The filter intercepts both read actions and write actions, to or from the storage card.

The encryption filter affects only modified data; it does not encrypt pre-existing files on the media when it is loaded.

The filter encrypts everything in a target file, including the header, on page-size blocks of 4 KB. In addition, the filter encrypts data in page-size blocks.

When the filter encrypts a file, it changes the file name, from MyFile.txt to MyFile.txt.<encryption extension>. The name change is transparent to users. The file name exposed to the file system always includes the encryption extension, but the file name returned to an application appears to be the original file name.

You can establish encryption policy by making appropriate registry settings.

A file system must mask off any file attribute bits that it does not support in MyFSD_CreateFileW and MyFSD_SetFileAttributesW.

Including Encryption in a Run-Time Image

To include encryption in your OS design, set the SYSGEN_ENCFILT environment variable during build.

Determining Whether a File Is Encrypted

Use the GetFileAttributes or the GetFileAttributesEx function to obtain the encryption attribute of a file or directory.

Cache Manager and Encryption Filter

The encryption filter requires the cache manager for the following reasons:

  1. There are some multithreaded scenarios that the encryption filter does not handle, but the cache manager does.
  2. The cache manager supports and implements file locking, but the encryption filter does not.
  3. The performance impact for the encryption filter is significant. However, with the cache manager, this impact is almost negligible.

See Also

Concepts

Enabling Encryption for a Storage Device
Setting Encryption Policy in the Registry

Other Resources

File System Encryption