Information is protected using symmetrical session keys. They are encrypted using so called system keys and stored in a key database (any industry-standard RDBMS can be used as the key database, you can for more information at Deploymant Options). The number of the system keys is selectable during an installation. During run-time, they are used in a random fashion to encrypt the session keys. The system keys are also stored in the same key database and encrypted using one of so called master keys. Other master keys are used for tasks like signing rows in the key database, protecting passwords, establishing SSL channel, etc. The master keys reside in the master key container (an XML file). The master key container is protected with a system protector. The system protector can come in various flavors:

1. Windows protector - the master key container is protected by using Microsoft's CSP:
   1. an additional 3DES key is generated
   2. the additional 3DES key encrypts the master key container
   3. an additional RSA key pair is generated (with the CRYPT_MACHINE_KEYSET flag set)
   4. the additional 3DES key is encrypted using the RSA key and stored in the system registry (HKEY_LOCAL_MACHINESOFTWAREERUCESTricryption EngineFile Protection EditionCrypto)
   5. how Microsoft protects private keys is extensively described in their documentation
2. Password protector - master key container is protected with a password (encrypted with a symmetrical key derived from the password using PKCS#5)
3. Shared secret protector – the master key container is protected with k of m shared secret scheme (of LaGrange Interpolating Polynomial type); secret is spread through m (e.g. 5) tokens (or smart cards), and during startup of the system you need to assemble k of them (k<m, e.g. 3) to unlock the master key container.
4. HSM protector - the master key container is protected using HSM (e.g. nCipher nShield)