/ˌɛf iː ˈkeɪ/
noun — "file encryption key."
FEK, short for File Encryption Key, is a symmetric cryptographic key used to encrypt and decrypt the contents of a single file within systems like EFS. Each file protected by a filesystem-level encryption mechanism typically has its own unique FEK to ensure isolation and minimize the risk of large-scale data compromise if one key is exposed.
Technically, FEK is a randomly generated symmetric key, often using AES (Advanced Encryption Standard) or similar algorithms. When a file is saved, the operating system encrypts its contents using the FEK. The FEK itself is then encrypted using the public key of authorized users, creating an encrypted wrapper that allows secure sharing of the file without exposing the symmetric key directly. This hybrid approach combines the speed of symmetric encryption with the secure key distribution of asymmetric cryptography.
Operationally, writing to a file involves generating or retrieving its FEK, encrypting the data blocks with it, and storing the encrypted key in the file’s metadata. Reading the file requires decrypting the FEK using the user’s private key and then using it to decrypt the file’s contents. This process ensures that even if the raw file data is copied from disk, it remains inaccessible without the correct private key to unlock the FEK.
Example of an FEK usage workflow:
Generate random FEK for file
Encrypt file data using FEK
Encrypt FEK with user public key
Store encrypted file + encrypted FEK metadata
On read: Decrypt FEK using private key
Use FEK to decrypt file data
In practice, FEKs provide granular file-level encryption, allowing selective protection of sensitive files within the same volume or filesystem. Systems like EFS often manage thousands of FEKs transparently, enabling secure backups, authorized access delegation, and recovery without user intervention.
Conceptually, a FEK is like a personal combination lock for each file: the file’s contents are the protected item, and the FEK is the key. Only users with the corresponding unlock mechanism (private key) can retrieve the contents safely, while the operating system handles the mechanics behind the scenes.
See EFS, Encryption, Access Control.