Export (0) Print
Expand All

1.1 Glossary

The following terms are defined in [MS-GLOS]:

access control list (ACL)
binary large object (BLOB)
certificate template
Encrypting File System (EFS)
file system
fully qualified domain name (FQDN)
globally unique identifier (GUID)
Kerberos constrained delegation
Lightweight Directory Access Protocol (LDAP)
named pipe
private key
public key
Public Key Infrastructure (PKI)
remote procedure call (RPC)
Rivest-Shamir-Adleman (RSA)
RPC protocol sequence
RPC transport
security context
security identifier (SID)
security provider
Security Support Provider Interface (SSPI)
Server Message Block (SMB)
Universal Naming Convention (UNC)
universally unique identifier (UUID)
well-known endpoint

The following terms are specific to this document:

Advanced Encryption Standard (AES): A cryptographic algorithm that can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is a symmetric cipher, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is specified in [FIPS197].

Data Decryption Field (DDF): The portion of the EFSRPC Metadata that contains information that enables authorized users to decrypt the file.

data recovery agent (DRA): A logical entity corresponding to an asymmetric key pair that is configured as part of administrative policy by an administrator. When an EFS file is created or modified, it is also automatically configured to give all DRAs in effect at that time the ability to decrypt it.

data recovery field (DRF): The portion of the EFSRPC Metadata that contains information that enables authorized DRAs to decrypt the file.

EFSRPC Raw Data Format: The data format used by the EFSRPC raw methods to marshal the contents and metadata of an encrypted file into a single-bit stream. It is specified in section 2.2.3.

EFSRPC Metadata: The additional data stored with an encrypted file to enable authorized users to access the data in the file. The format of this metadata is implementation-dependent. The EFSRPC Metadata general requirements are specified in detail in section 2.2.2 and the Windows format is specified in associated endnotes in Appendix B of this specification.

file: A unit of data in the file system. An encrypted file consists of encrypted data along with the metadata required for a user to decrypt the file. The file and its metadata are protected using public key cryptography such that an authorized user's private key is required to decrypt the file.

File Encryption Key (FEK): The symmetric key that is used to encrypt the data in an EFS-protected file. The FEK is further encrypted and stored in the file metadata such that only authorized users can access it.

folder: A container for files and other folders. A folder may be encrypted. The semantics of encrypting a folder are implementation-dependent. In the Windows implementation, encrypting a folder does not directly cause any data to be encrypted. Encrypting a folder in Windows has the following consequences:

  • EFSRPC Metadata is created and stored with the folder.

  • An NTFS attribute is set on the folder to signify that it is encrypted. NTFS checks this attribute when any new files or folders are created in the folder. NTFS will automatically encrypt any files or folders created within a folder that has this attribute set.

New Technology File System (NTFS): The native file system of Windows 2000, Windows XP, Windows Vista, Windows 7, and Windows 8. Within this document, this term is occasionally used to refer to the operating system subsystem that implements NTFS support. For more information, see [MSFT-NTFS].

sparse file: A file containing large sections of data composed only of zeros, which is marked as such in the NTFS. The file system saves disk space by only allocating as many ranges on disk as are required to completely reconstruct the non-zero data. When an attempt is made to read in the nonallocated portions of the file (also known as holes), the file system automatically returns zeros to the caller.

valid data length (VDL): In NTFS, there are two important concepts of file length: the end-of-file (EOF) marker and the valid data length (VDL). The EOF indicates the actual length of the file. The VDL identifies the length of valid data on disk. Any reads between VDL and EOF automatically return zeros.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

© 2015 Microsoft