3.1.4.2.5 Receiving an EfsRpcEncryptFileSrv Message (Opnum 4)

  • Article

The EfsRpcEncryptFileSrv method is used to convert a given object on the server to an encrypted state in the server's data store.

 long EfsRpcEncryptFileSrv(
   [in] handle_t binding_h,
   [in, string] wchar_t* FileName
 );

binding_h: This is an RPC binding handle parameter, as specified in [C706] and [MS-RPCE] section 2.

FileName: An EFSRPC identifier as specified in section 2.2.1.

Return Values: The server MUST return 0 if it successfully processes the message received from the client. The server MUST return a nonzero value if processing fails.

If no object exists on the server with the specified name, the server MUST return a nonzero value. If the object exists and is already encrypted:

  • If the object is a container for other objects, the server SHOULD return 0 to indicate success.

  • If the object is not a container object, the server SHOULD check to confirm that the calling user has access to a private key that can decrypt the file and, if so, return 0 to indicate success. If the calling user does not have access to a private key that can decrypt the file, the server SHOULD return a nonzero value.

If the object exists and is not encrypted, the server SHOULD use the algorithm specified in section 3.1.4.1 to locate a user certificate for the calling user, specifying the client identity associated with the RPC call ([MS-RPCE] section 3.3.3.4.3) as input for the security context. If an error is returned by the algorithm specified in section 3.1.4.1, the server MUST return a nonzero value.

The server  then performs the following actions to convert the object to an encrypted state in its data store:

  • If the data object referred to by FileName exists on the server and is a container for other objects, the server MUST set an attribute on the container that instructs the data store to encrypt any new objects created in that container. The server MAY encrypt unencrypted objects that were already in the container before this message was received.

  • Otherwise, the server SHOULD:

    • Randomly generate a File Encryption Key (FEK) for the object and use it to encrypt the object.

    • Create EFSRPC Metadata for the object, formatted as specified in section 2.2.2. The Data Decryption Field SHOULD contain a single entry corresponding to the user certificate mentioned above.

  • Return 0 to indicate success.

Upon completion of this request, the converted object MUST be accessible to the calling user for read and write methods of the storage encryption system.