File encryption is increasingly a method of choice in securing data. Operating systems may even offer automated file encryption in the form of an Encrypted File System (EFS). Regardless of the setting in which file encryption is used, it is likely that over time files may be encrypted according to more than one key. A plurality of first files may be encrypted according to a first key, while a plurality of second files are encrypted to a second key, any number of previous files are encrypted using previous keys.
To use the case of an EFS as an example, an operating system may encrypt files according to keys available from smartcards, for example. If a user has encrypted many files on many servers using a smartcard, when the user changes the current key, the old files will still be encrypted to the old smart card and the user must manually re-key all of them. While automated processes may be implemented to re-key at the time of the card switch, such processes may take time and resources to complete, and moreover, if the user is not very knowledgeable, she may have missed the re-key prompt. Now whenever the user opens a file encrypted with the old smart card, she must unplug her current smart card and plug in the old one. If she lost the old card, she must recover her data using an EFS recovery agent or totally lose access to the files. The problem is compounded for users who have gone through a number of smartcards for use with a particular EFS.
Thus, in the context of an EFS or otherwise, it is desirable to provide long term access to files that were encrypted using multiple encryption keys without changing the previously used encryption keys, but providing access through one current cryptographic key. A mechanism to re-key all encrypted files over time without requiring user intervention is also advantageous to improve the usability and prevent data loss through loss and destruction of the previous encryption keys.