2.2.2.2.5 Protector List Entry
Each individual Protector List Entry MUST be formatted as follows.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
EFSX_Datum |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
ProtectorType |
ProtectorFlags |
||||||||||||||||||||||||||||||
|
Data_Fields (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
EFSX_Datum (8 bytes): MUST be formatted as specified in section 2.2.2.2.2. The datum Type MUST be EFSX_TYPE_KEY_PROTECTOR (0x0003) and SHOULD have a Role of EFSX_ROLE_IGNORE (0x0000). The datum Flags SHOULD include 0x0002 indicating a complex datum.
ProtectorType (2 bytes): The type of the protector. It MUST be a 16-bit unsigned integer in little-endian format. Possible values are specified below.
-
Value
Meaning
0x0001
The protector was derived from a public/private key pair using a key agreement. The Data Fields SHOULD include an EFSX_Datum of Type EFSX_TYPE_KEY_AGMT_DATA (0x0005) and Role 0x0002.
0x0002
The protector was derived from a public/private key pair capable of performing asymmetric encryption. The Data Fields SHOULD include an EFSX_Datum of Type EFSX_TYPE_BLOB (0x0001) and Role 0x0002.
0x0003
The protector was derived using a DPAPI-NG encryption provider on the endpoint. The Data Fields SHOULD include an EFSX_Datum of Type EFSX_TYPE_DPAPI_NG_DATA (0x0007) and Role 0x0002.
ProtectorFlags (2 bytes): The flags for the protector. It MUST be a 16-bit unsigned integer in little-endian format. The value MUST be 0x0000 or a union of one or more of the following values.
-
Value
Meaning
0x0001
The protector is a legacy protector, and stores the Encrypted FEK as specified in section 2.2.2.1.5.
0x0002
If this is a legacy protector (flag 0x0001 is also set), the Encrypted FEK is encrypted using AES 256, with a key that is obtained by signing the non-terminated Unicode string "MICROSOFTE" (20 bytes long) with the user's RSA and computing the SHA-256 hash of the result.
0x0004
If this bit is set, bit 0x0001 MUST also be set to indicate a legacy protector. This bit indicates that the legacy protector stores the File Master Key (FMK) encrypted in the Encrypted FEK structure instead of the File Encryption Key (FEK).
Data_Fields (variable): This field contains any number of nested EFSX_Datum structures. The nested datum structures MUST NOT overlap and MUST be entirely contained within the protector list entry. This field SHOULD contain a datum with a Role of 0x0002 (protector data) and a datum with a Type of EFSX_TYPE_PROTECTOR_INFO (0x0004).