For each existing FESF encrypted file that's accessed, the Client Solution's Policy DLL is called at its PolGetPolicyExistingFile callback function to determine whether that particular open instance should be granted raw or encrypted/decrypted access.
Open instances that receive encrypted/decrypted access result in file data being transparently decrypted by FESF when read, and transparently encrypted by FESF when written. This is the typical mode for "permitted" applications. Data is encrypted while stored (at rest) on disk, but applications transparently see ordinary (plaintext) data. To enable these transparent encryption/decryption operations, FESF calls the Solution's Policy DLL at its PolGetKeyFromHeader callback function. FESF passes the Policy DLL's Header Data that was previously returned by the Policy DLL's PolGetKeyNewFile callback when the file was created. Given this Header Data and the path of the file, the Policy DLL returns the Algorithm ID and the file’s data encryption/decryption Key.
Open instances that receive raw access see data without any additional processing by FESF. Raw access is typically given to programs such as backup utilities. This results in the backed-up data being restored in encrypted form.