The Encrypted Data Plug-in’s missions include providing an encrypted container called the “safe zone”, giving the safe zone a drive letter and defining a Windows Library to point into it and finally to steer corporate data into the container.  This blog discusses the steering. 

First some definitions

  • Corporate app:  Application that is permitted to see into the safe zone
  • Personal app: Application that is restricted from seeing into the safe zone
  • Special app: Application that gets a filtered view of the safe zone

In this definition, corporate applications are those delivered with Citrix Application Streaming, Microsoft App-V and also XenApp and XenDesktop remoted sessions (client drive mapping).

In configuring the Encrypted Data Plug-in, the administrator can define which of these categories should be considered “corporate” applications and the admin can also turn off this filtering to permit all applications access to the corporate container.

For filtering, consider the diagram below.

The application boxes above are user mode application space, everything else in the diagram is “in-kernel”.  When an application issues a file operation (e.g. file open), the Windows I/O manager receives the request and prepares an IRP to send down the device driver chain.  Not to get too deep, but an IRP is a block of data that is passed around in kernel to keep track of that specific I/O operation.  Various drivers work on it until it is eventually declared complete and the application’s I/O request can be completed.

The Encrypted Data Plug-in file system filter driver (XenVault.sys) inserts itself between the NT I/O Manager and the File System (think NTFS).  This means that the FSFD can “view” and “modify” anything that goes by, which is a powerful place to be.   The only file operation we care about is “open”.   This is a simplification, but stick with me on the principle. 

Traffic cop

Consider file open of an existing file:

Is this application permitted to see into the encrypted space?  If yes, send the operation down into the file system and let the encryption driver do it’s job.  If the application is not permitted to see into the encrypted space, then short circuit the I/O request, immediately returning “access denied”.  SIMPLE!

Consider file open of a new file (aka “create”).

If not a corporate app and outside the safe zone, send it on, no modifications.  If app is an outsider and is trying to create inside the safe zone, access denied.  

A bit more complex, if the application is a corporate application, then we also restrict it’s file creation to only things inside the safe zone.  This prevents the corporate application from storing data (documents) outside of the encrypted space.

A neat side effect of that in the tech preview is this error message from MS Word:

  • Unable to save to “My Documents”, would you like to save to “My Documents” instead?  

Awesome!  Yes, we’re working it.

This traffic cop combined with encrypted volume are the foundations of the Encrypted Data Plug-in.  Getting to product is a bit more involved.

The Windows Shell is not a corporate application

Admins are easy to please: Encrypt the data and restrict access to corporate apps.  Nagging users; they want to not only be able to access the data from the corporate application, they want to be able to SEE what files exist and by see, I mean that after storing a file into the “Safe Zone” corporate library, the user will like to SEE the files in that library by browsing to them with the Windows shell.  Programmer wise, the shell is just an application that happens to be named explorer.exe.

Enter “special apps”.  The decision matrix gets expanded.  If the application is a special approved list of applications, additional processing is required.

Consider the shell: Directory enumeration is approved and CreateProcess is approved, but copying the data is prevented.  Here, the user can SEE that their file exists and they can double-click on it to launch, but they will have significant difficulty moving the data out of the safe zone into an unprotected space.

There are other applications that should be able to see into the safe zone and the ECDPI permits administrator definition of approved applications.  These would include things like backup tools or similar items that may need to see into the encrypted space.


Users are generally good people, we like them and we are trying to help the user and help the admin, but importantly we do not want to hinder the user’s work.  Users though tend to store things in wrong places and in this way, they need a little help being forced to store data into the safe zone.  By using the traffic cop of xenvault.sys, we can FORCE the user into storing corporate data into the encrypted safe zone.  Where needed, we can also relax this to make the safe zone system easy to use such as letting the Shell see into the safe zone with restrictions, but generally speaking, help the users do the right thing of keeping corporate data safe.

When implementing bring your own computer, this centralization of the data makes it much easier to manage the corporate data that happens to exist on the end user personal computer.   Easier to back up and … easier to centrally delete and very importantly, easier to keep the user data and corporate data separate.

The Encrypted data plug-in Technology Preview is available for download, MyCitrix logon is required.  We look forward to your feedback and comments and can provide information and support through our forum located here:

Joe Nord

Product Architect – Citrix Systems XenApp Product Group

App Streaming, Profile Manager, Encrypted Data Plug-in