Windows Rights Management Services (RMS) are leveraged to provide protection and sharing of encryption keys to file systems. An encrypting file system (EFS) delegates key sharing, management and recovery to the RMS system. User rights to file encryption keys (FEKs) are derived from files' security descriptor information or as explicitly specified by users. Whenever an encrypted file is created, its FEK is protected using RMS, as a byte stream stored in file encryption metadata information. When a user with access tries to access an encrypted file without having a private key to decrypt the FEK, the EFS transparently extracts the RMS protected byte stream from the file encryption metadata information and uses RMS to access the FEK stored in the bytes stream using the user security context. The FEK is protected with the user master key, encryption certificate or password and cached for the next user file access.