On 20 Сер, 20:13, ant wrote:
On 20 Сер, 18:12, "FromTheRafters" erratic @nomail.afraid..org wrote:

I believe that the point there was that the field itself contained only a
hash, not actually a key. If I'm understanding it correctly, it is a hash
that identifies a certificate that contains a key needed to decrypt the key
needed to decrypt the data.

Not exactly. Certificate do not contain the private key by itself
(which is actually used to decrypt the FEK), but it has a reference to
it.

One more important note to this. FEK is encrypted by public key which
is stored in certificate, but decrypted by correspondent private key.
That's how Windows allows several users (if they are in the authorized
list for the file) to read encrypted file without need for the
password of the file owner. The file stores the list of encrypted FEK
in its DDF (along with correspondent certificates fingerprints) for
each authorized user in the list. So any user from the list can
decrypt FEK with its own private key.

Regards,
Andriy