In the course of normal operations, encryption and decryption are performed in kernel-mode under FESF's control. However, FESF itself does not include any encryption components or algorithms. Rather, FESF calls Microsoft's Cryptography API: Next Generation (CNG) package to accomplish the actual encryption and decryption operations. CNG includes support for several standard algorithms (including DES, DESX, 3DES, RC2, RC4, and AES) and multiple modes for each algorithm. In addition, custom CNG Cryptographic Algorithm Providers can be written by Clients to support any desired algorithm.
FESF is careful to handle key material securely in kernel mode. For example, kernel components never store key material in pageable memory and scrub the contents of memory used for key material storage prior to deallocation.
On systems where FESF is not installed, some encryption and decryption may be performed in user-mode with the assistance of FESF supplied Stand Alone library functions.