How to find where the encryption/decryption keys are stored for FLE [KES for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Endpoint Security for Windows (KES for Windows)

 

The complete encryption procedure is as follows:
1. During authentication, a private key is generated based on the username and password
2. The private key is used to decrypt the user’s storage and extract the primary key
3. The primary key is checked against the identifier specified in the file header. If it matches, the file
encryption key is extracted from the header.
4. The file contents are decrypted using the key obtained in the previous step.

The operating system generates private key for file decryption based on the authentication credentials. Until you log in to the system, only the encrypted versions of files can be accessed, so their contents are unreadable.

KES uses several types of keys to handle encrypted files:
— Administration Server's public key is stored in the Network Agent distribution package and gets on the client computer when protection is deployed.
— User’s private key is generated by the operating system based on the username and password. Private keys are not saved to the hard drive. The key stays the same if the account credentials remain the same. However, a new key is generated if the user or password changes.
— Primary key is created on the client computer when FLE is enabled. This key is used to encrypt all files. A copy of the primary key is saved in the computer's key storage, which in turn is encrypted using the KSC's public key. It is also saved in all active users' key storages, which are encrypted using their private keys. Thus, after authentication, any user can decrypt his or her storage and access the primary key.
— File encryption keys: a separate key is generated to encrypt each file

When a file is encrypted, its name and other external attributes are not changed.