A careful reader might notice that we have so far only described how newly created files are transparently encrypted by FESF and how existing files that are already encrypted are handled by FESF. We have not, however, discussed how existing files that are not encrypted become encrypted. In other words, continuing one of our previous examples where we had the Policy:
"We want any files that are created in the directory \MySecretStuff\ on the volume that's the C drive on this workstation to be encrypted."
Any files that are newly created in the directory \MySecretStuff\ would be automatically encrypted by FESF after this policy was established (based on the response received when the Solution's Policy DLL is called). But suppose some files already existed in the \MySecretStuff\ directory when this Policy was established. How would these files become encrypted?
The answer is: it is up to the Client Solution to request that those files be encrypted, if and when desired. This is because only the Client Solution understands when Policy can be defined or changed, what security risk is associated with having existing unencrypted files in various locations, how many files might need to be encrypted as a result of a new Policy being created, and when an appropriate time to encrypt affected files might be. Some Client Solutions might require Policy to be defined network-wide, and then perform encryption of existing files on individual workstations at "pre-boot" startup time (before users are allowed to login to the system). Others might choose to never encrypt existing files. FESF provides complete flexibility in this regard.