FuzzyJohn Posted July 23, 2003 Report Share Posted July 23, 2003 I recently ran the following test: On a Win2K machine I changed the advanced properties of the "My Documents" folder to encrypt the folder and all other subfolders and files. The Retrospect Launcher service is configured to run as "Local System Account" and to "Allow service to interact with desktop". After Retrospect finished its scheduled daily backup (which backed up everything in "My Documents") I attempted to restore a few files from "My Documents" on another machine running Windows XP Professional. After the files were restored, Windows XP Explorer showed them in green color and with the "E" attribute set. Attempting to open DOC files in Word generated messages that I did not have the privilege to open the files. This satisfies my, and my boss' requirement, that the files stored on tape be secured. But this also poses another question: should we experience a crash and be forced to rebuild the Win2K system from scratch, would we be able to access the restored encrypted files? Thank you, John Castravet Link to comment Share on other sites More sharing options...
natew Posted July 24, 2003 Report Share Posted July 24, 2003 Hi John, I doubt that you could access your files after a crash. A full system restore might allow you to do it but what if the motheboard dies and you can't find an exact replacement? Then a full restore isn't possible and you can't access your backup. I suggest you encrypt your backup set in Retrospect rather than encrypting individual user's folders. You can select 3 levels of encryption. Nate Link to comment Share on other sites More sharing options...
FuzzyJohn Posted July 24, 2003 Author Report Share Posted July 24, 2003 Quote: natew said: I suggest you encrypt your backup set in Retrospect rather than encrypting individual user's folders. You can select 3 levels of encryption. Correct, but that leaves the computer itself and the hard drive open, which was the reason for turning on the NTFS encryption in the first place. I considered making the Retrospect Launcher run as with the user's credentials, but the network policy forces the user to change the password every 30 days. John Link to comment Share on other sites More sharing options...
natew Posted July 25, 2003 Report Share Posted July 25, 2003 Ah I get it now In Windows 2000 I believe you can export a users EFS File Encryption Certificate in case you have to restore the encypted files onto another system. Failing that you would need to do a full system restore to access the files. In short you should be able to access encrypted files that you restore as long as you import the original EFS File Encryption Certificate. Nate Link to comment Share on other sites More sharing options...
mikebk Posted December 22, 2003 Report Share Posted December 22, 2003 I've just gone through restoring a backup of Windows/XP EFS files and can confirm that the encrypted files were accessible. I needed to export the Private key from the original system (using the MMC certificates snap-in), then import it into the destination system. It needed to be placed in both the Personal certificates folder and in the Trusted Root Certificate Authorities folder on the destination system. I found the efsinfo program (from the resource Kit) to be helpful in locating the right certificates. In case this helps the next person. Mike Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.