As a kid, you probably played around with simple codes and ciphers in which you exchanged the letters of a message: D for A, E for B, and so on. You might look at this as the process of "adding three" to each letter in your message: Each letter gets bumped to the third-next letter in the alphabet. To decode a message, you subtracted three from every letter to get the original message. In this code, you could say that the "key" is the number 3. Anyone who knew the technique and possessed the key could read and write these secret messages.

Although this example is very simplistic, it illustrates the basic idea of numeric encryption. The cryptographic system used by Windows for EFS also uses a numeric technique, but it's extremely complex and uses a key that is 128 digits long. Such a large number means many possible choices, and that means it would take someone a very long time to guess a key and read an encrypted file.

When you mark a file for encryption, Windows randomly generates such a large number, called a unique file encryption key (FEK), which is used to scramble the contents of just that one file. This unique key is itself scrambled with your own personal file encryption key, an even longer number stored in the Windows Certificate database. The encrypted unique key is then stored along with the file.

When you're logged in and try to open an encrypted file, Windows retrieves your personal key, decodes the unique key, and uses that key to decode the contents of the file as it's read off the hard disk.

The reason for the two-step process is to let Windows use a different and unique key for each file. Using different keys provides added security. Even if an attacker managed to guess the key to one file, he or she would have to start fresh to find the key to other files. Yet your personal key can unscramble the unique key to any file you've encrypted.

As a backup in case your personal key gets lost, Windows lets each computer or domain administrator designate recovery agents, users who are allowed to decode other people's encrypted files. Windows also encrypts the unique FEK for each of the recovery agents. It, too, is stored along with the file, and anyone who possesses a recovery key can also read your encrypted files.