Key

/ˌɛf iː ˈkeɪ/

noun — "file encryption key."

FEK, short for File Encryption Key, is a symmetric cryptographic key used to encrypt and decrypt the contents of a single file within systems like EFS. Each file protected by a filesystem-level encryption mechanism typically has its own unique FEK to ensure isolation and minimize the risk of large-scale data compromise if one key is exposed.

Technically, FEK is a randomly generated symmetric key, often using AES (Advanced Encryption Standard) or similar algorithms. When a file is saved, the operating system encrypts its contents using the FEK. The FEK itself is then encrypted using the public key of authorized users, creating an encrypted wrapper that allows secure sharing of the file without exposing the symmetric key directly. This hybrid approach combines the speed of symmetric encryption with the secure key distribution of asymmetric cryptography.

Operationally, writing to a file involves generating or retrieving its FEK, encrypting the data blocks with it, and storing the encrypted key in the file’s metadata. Reading the file requires decrypting the FEK using the user’s private key and then using it to decrypt the file’s contents. This process ensures that even if the raw file data is copied from disk, it remains inaccessible without the correct private key to unlock the FEK.

Example of an FEK usage workflow:

Generate random FEK for file
Encrypt file data using FEK
Encrypt FEK with user public key
Store encrypted file + encrypted FEK metadata
On read: Decrypt FEK using private key
Use FEK to decrypt file data

In practice, FEKs provide granular file-level encryption, allowing selective protection of sensitive files within the same volume or filesystem. Systems like EFS often manage thousands of FEKs transparently, enabling secure backups, authorized access delegation, and recovery without user intervention.

Conceptually, a FEK is like a personal combination lock for each file: the file’s contents are the protected item, and the FEK is the key. Only users with the corresponding unlock mechanism (private key) can retrieve the contents safely, while the operating system handles the mechanics behind the scenes.

See EFS, Encryption, Access Control.

/ˌkeɪ-ɛs-ˈkeɪ/

n. “The master key that vouches for all zone signatures in DNSSEC.”

KSK, short for Key Signing Key, is a cryptographic key used in DNSSEC (Domain Name System Security Extensions) to sign the Zone Signing Keys (ZSKs) of a DNS zone. Unlike the ZSK, which signs individual DNS records, the KSK signs the keys themselves, creating a trust chain that allows resolvers to verify the authenticity of the DNS data.

Key characteristics of a KSK include:

• Signs Keys, Not Records: KSK signs the ZSKs, which in turn sign the DNS records within a zone.
• Longer Lifespan: KSKs are typically rotated less frequently than ZSKs to maintain stability in the DNSSEC trust chain.
• Establishes Trust: By signing ZSKs, the KSK allows clients and resolvers to verify that the zone’s DNS records are authentic.
• Part of the DNSSEC Hierarchy: Works alongside ZSK to form a chain of trust that secures DNS responses from tampering or forgery.

Conceptually, the KSK is like a master notary that certifies the signatures of the ZSK, which then “sign” the actual DNS records. This two-tier system ensures that both the keys and the data they sign can be trusted.

In essence, KSK is a fundamental building block of DNSSEC security, providing the top-level assurance that DNS information is authentic, untampered, and reliable for clients and resolvers.

/ˌziː-ɛs-ˈkeɪ/

n. “The key that signs your DNS zone like a digital seal.”

ZSK, short for Zone Signing Key, is a cryptographic key used in DNSSEC (Domain Name System Security Extensions) to digitally sign the records within a DNS zone. It ensures the integrity and authenticity of the DNS data, allowing resolvers to verify that the information has not been tampered with.

Key characteristics of a ZSK include:

• Zone-Level Signing: Signs all resource records in a DNS zone except for the delegation-related keys.
• Shorter Lifespan: Typically rotated more frequently than the Key Signing Key (KSK) to reduce exposure if compromised.
• Part of DNSSEC Chain: Works in conjunction with the KSK to create a trust hierarchy for DNS validation.
• Ensures Data Integrity: Prevents DNS spoofing or cache poisoning attacks by enabling cryptographic verification.

Conceptually, the ZSK acts like a signature pen for a specific DNS zone — every time a DNS record is published or updated, it is “signed” using the ZSK so that clients and resolvers can trust its authenticity.

In essence, ZSK is a critical component of DNSSEC that provides ongoing security for DNS zones, enabling users to trust the accuracy and integrity of the domain information they rely on.