445 - Using Attix5 Pro with EFS

Windows has a��built-in Encrypting File System (EFS), which is a component of NTFS. It allows users to encrypt files on disk, so that only they, and users who they provide keys to, can read the encrypted files.

Symptom

Files are skipped during the backup process. This will typically��occur when a user has encrypted some files, and although the backup service user has been granted permission to read the files to back them up, they are still skipped.

Typical error messages include:

Warning: 16:45:57 Unable to open file: C:\Users\Bob\Documents\Bob's Encrypted Docs\BobOnly.txt, reason:\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\Users\Bob\Documents\Bob's Encrypted Docs\BobOnly.txt (Access is denied)

Warning: 16:46:26 Unable to open file: C:\Users\Bob\Documents\Bob's Encrypted Docs\BobOnly.txt, reason:C:\Users\Bob\Documents\Bob's Encrypted Docs\BobOnly.txt (Access is denied)

��

Cause

Ordinarily, the Attix5 Pro Backup Client service is run as local system or as an administrator. Unless ownership is changed, or explicit deny permissions are set, the local system and administrator account will be able to access all files on a machine, allowing the Backup Client service to access all files and back them up. If ownership and permissions deny access to files for the backup service user account, the Backup Client will be unable to read the files to back them up, and they will be skipped.

Similarly, where files are EFS-encrypted and the backup service user account does not have the decryption key, the files will also be skipped. Folder with encryption set:

��

Solution

Running the backup service as the user that encrypted the files allows the files to be backed up successfully. However, you might encounter skipped file errors on EFS configured on other users�?T files (as well as potentially encountering other permission issues).

To resolve the issue, export the certificates used by EFS for each user and import these using an administrator user account. Then run the Attix5 Pro backup��service as that same administrator user.

Exporting the user encryption key certificate

1. While logged in as a user with encrypted files, on the desktop, right-click the pop-up that offers to back up your file encryption key.
   
2. Click��Back up now (recommended).
   
3. After��the��Certificate Export Wizard has launched, click��Next.
4. Ensure��Personal Information Exchange��is selected and click��Next.
   
5. Enter a password for the certificate and click��Next.
   
6. Enter a file path to export the certificate to and click��Next.
   
7. Click��Finish.
   
8. The wizard will��confirm that the export��was successful.
   
9. Repeat the export process for each user that has files encrypted using EFS.

Note:��Exported certificates are normally stored on external media. As the certificate is being exported here so that another user can import it, the certificate file can be deleted after being imported.

��

Importing the user encryption key certificate as administrator

1. Log in as the administrator user that the backup service runs as.
2. Navigate to the certificate file, right-click it and��click��Import PFX.
   
3. After the��Certificate Import Wizard��has launched, click��Next.
4. Navigate to the certificate file path, select the certificate file and click��Next.
   
5. Enter the password you used during the export process and click��Next.
   
6. Select a particular certificate store or leave the setting on��Automatically select the...��and then click��Next.
   
7. Click��Finish��to complete the wizard.
   
8. The wizard will��confirm��that the import��was successful.
   
9. Repeat the import process for any other exported certificates.

Note:��The certificates��are imported for use by the specific administrator user, not all members of the administrators group. Certificates apply only to the user that imports them, not all users in the group.

��

Backup service configuration

Configure the backup service to run as the administrator user that you have imported the certificates for. Running the service as another administrator user will not allow you to back up the encrypted files.

The administrator user will now be able to access the encrypted files.��With the backup service running as this user, it will now be able to back up the encrypted files in decrypted state, re-encrypting them with Attix5 Pro native encryption as they are sent to the platform.

When restoring, the files will be restored into a decrypted state, so you may wish to adopt the following steps:

1. Deny access to users other than the administrator, or even use EFS on the��ToBackup��and��Cache��folders to prevent users gaining access to the local cache files. Adding encryption is not strictly necessary as the files in the Cache and ToBackup folders are not easily readable.
2. Deny the users access to the Attix5 Pro installation folder to prevent them running the GUI and restoring files to alternate non-encrypted locations. You may also wish to configure the GUI password for restores as an extra level of security.