EFS-encrypted File Backup
As of version 7.6, Backup for Windows supports EFS-encrypted file backup and restore 'as is', i.e. in an encrypted state.
EFS-encrypted file backup is supported in the new backup format only
- Upgrading to Version 7.6
- Enable the 'Keep EFS encryption' Option in Backup Plan
- Security Measures
Upgrading to Version 7.6
If you upgrade Backup for Windows to the version 7.6 and you have already configured file backup plans in the new format with EFS-encrypted files backed up decrypted, you do not have to change anything: the new version works with the same settings and EFS-encrypted files will be backed up as decrypted like before.
| Top |
Enable the 'Keep EFS encryption' Option in Backup Plan
To enable the backup of EFS-encrypted files as encrypted, proceed as follows:
- Update the Backup for Windows to the 7.6 version. In the horizontal menu bar, click Tools, then click Check for Updates.
- As the new version is installed, figure out what EFS-encrypted content you have. If it is an existing backup plan, click Edit, otherwise create a new file backup plan in the new backup format.
- On the Advanced Options step, select the Keep EFS encryption option, then confirm your selection.
It is highly recommended to read the How To Access EFS-encrypted Files On Other Locations article on the Knowledge Base portal to figure out some security measures of accessing EFS-encrypted files on other locations
If your backup plan contains backup sources located on network shares, read the Backing Up Remote EFS-Encrypted Files paragraph
- Finish the backup wizard to save the backup plan configuration.
| Top |
Backing Up Local EFS-Encrypted Files
If you selected the Keep EFS encryption option, make sure the Backup service is running under the account granted with enough permissions to back up local EFS-encrypted files.
The Local System account is used as the default Backup service account and granted enough permissions to back up EFS-encrypted files. If for some reason you use another account, include it in the Backup Operators group. Read more about this group in the Backup Operators paragraph of the Active Directory Security Groups chapter at docs.microsoft.com.
To continue backup plans that contain local EFS-encrypted files, a full backup must be executed
EFS-encrypted files are backed up encrypted and are restored encrypted. In case the backup plan is continued with incremental backups (without a full backup), local EFS-encrypted files are backed up/restored as decrypted.
If the account the Backup service runs under the account without sufficient permissions to access EFS-encrypted files, these files will be skipped and the appropriate warning is displayed.
NTFS permissions for EFS-encrypted files are never backed up nor restored
| Top |
Backing Up Remote EFS-Encrypted Files
Note that remote EFS-encrypted file backup is supported for locations with NTFS file systems and domain members
In case you selected the Keep EFS encryption option, be careful with permissions in order to back up EFS-encrypted files located on network-shared devices: there are some important peculiarities.
By default, the Backup service runs under the Local System account. To back up remote EFS-encrypted files on shared network resources, the computer Backup for Windows installed must be added to Backup Operators group on all computers the network shares included in the backup plan are located.
If permissions are sufficient, EFS-encrypted files will be backed up encrypted. In case you continue generation (running incremental backups) created in previous versions of Backup for Windows, EFS-encrypted files on network shares will be backed up/restored as decrypted.
To include the required computer in the Backup Operators group, proceed as follows:
- On a computer the network share included in the backup plan is located, run Computer Management. To do this, open the Command Prompt and run it as administrator.
- Type compmgmt.msc, then press Enter.
- In the left frame, expand the System Tools.
- Expand the Local Users and Groups, then select Groups.
- Double-click Backup Operators.
- Click Add....
- In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types....
- Select Computers.
- In the Enter object names to select field, specify the computer name.
- Click OK.
- On a computer with Backup for Windows, restart the Backup service: right-click in the tray with the Backup service status (to the bottom), then select Stop Service. Wait a few seconds, then right-click again and select Start Service.
If the Backup service is running under an account other than Local System, this account must be included in the Backup Operators group along with the computer where the Backup for Windows is installed
If the service account the Backup service is running under the account without sufficient permissions to access EFS-encrypted files, these files will be skipped and an appropriate warning will be reported.
| Top |
Note that if you back up EFS-encrypted files 'as is' (encrypted), you will need some tools to access these files if they are ever restored to some other location.
Mind to secure yourself from unpleasant situations in case you have the 'Keep EFS encryption' option enabled and need to access the EFS-encrypted files restored to some other computer. Before you run the backup plan, perform one of the following actions:
- In case you have one or a few EFS-encrypted files. Export the encryption certificate with private key from the source computer and add them to the backup plan. You will need them to access the EFS-encrypted files
- In case you have a large number of EFS-encrypted files. Configure the Key Archival in Certificate Authority and create and configure Key Recovery Agent using domain or local group policies. Self-signed certificates will be disabled and key recovery agent certificates will be used instead
| Top |