Fixed with ATI 6857: Backing up encrypted files in a decrypted state causes back up to fail
I run Windows 7 Ultimate 64 bit.
There is this feature in the advanced tab of the file backup options, in the file level security settings, where you can request that EFS encrypted files be backed up in a decrypted state. This is useful if the files need to be restored on another computer.
Everytime I try this feature, it causes the file backup to fail. I contacted Customer support more than a week ago, but I didn't get an answer yet. For the time being, I back up without the option.
Is this a bug or some other issue?
Hey Colin,
Thanks for jumping in.
I had the same issue with the previous build, as you guessed.
I am using Windows 7 ultimate default file -not disk- encryption mechanism. You know, the one you access through the properties of the folder.
I have been exchanging email with customer support about the support for windows native EFS encrypted files, but we cannot get on the same page.
I am running x64 ultimate with ATI 6597.
ATI help files indicates that backing up encrypted files and storing them as decrypted files is supported in file backups.
But the Acronis option to backup encrypted files as decrypted files does not work. This is a big issue, because it is strongly recommended to backup encrypted files in an decrypted way, and then to secure the backup. EFS can be a pain to deal with if, even if users don't back up & make available their EFS encryption key, in particular if files need to be accessed by somebody else and or on another computer.
I still don't know if this a bug or an issue with my configuration.
See Help > backing up data > backup options > File-level security settings for backup, second bullet point (see below)
You can specify security settings for backed up files (these settings relate only to file/folder backups):
- Preserve file security settings in backups - [...].
- In backups, store encrypted files in a decrypted state (the preset is disabled) - check the option if there are encrypted files in the backup and you want them to be accessed by any user after recovery. Otherwise, only the user who encrypted the files/folders will be able to read them. Decryption may also be useful if you are going to recover encrypted files on another computer. If you do not use the encryption feature available in Windows XP and later operating systems, simply ignore this option. (Files/folders encryption is set in Properties > General > Advanced Attributes > Encrypt contents to secure data). These options relate only to file/folder backups. In addition, they are unavailable for zip backups.
Pat,
Does TI backup or image non encrypted files correctly?
Hey Colin,
Yes. To be clear, the files are backed up, whether encrypted or not encrypted when this option is turned off. They can be restored as well. When I restore encrypted files, they are encrypted. That's what I want to avoid.
When the option to store encrypted files in a decrypted state in the backup is turned on, the back up doesn't go through. See images attached.
Well, more than 3 weeks after having filed a customer support request about this, and no answer. I exchanged emails with 3 different reps, and there is a lot of confusion about the problem.
File backups fail if you select the "In backups, store encrypted files in a decrypted state " options in File Level Security Settings of the File Backup options.
I noticed that the log shows the attached. I don't know whether this is a bug or a configuration issue on my computer.
As I can do backups without this option, I am kind of OK. But I need to use some other file backup solution that let me encrypt the backup as a whole, and don't store the encrypted files in an encrypted state. GenieTimeline Pro seems to be working fine for this.
Pat,
I've been doing some testing and apart from some wierd results such as copying the complete desktop (where the encrypted file lives), I've changed the settings so that file security option 'store encrypted files etc' is not ticked.
I then made an image to the C:\My Backups folder in the same W7 Ult 64 bit VM and from there copied it to my actual Win 7 system. The file opened OK. When I had the above option ticked, I couldn't even copy the file, let alone open it on my main system.
The file (a text log file) is not in an encrypted state on my physical machine's F:\ drive
I've just had a brainwave - try it without changing the default name - whenever I changed the default name to encryption you see above that it all went wrong, whereas left as the default name decided by TI it seems to have worked apart form the fact I didn't have the box ticked, but then this could be a problem between the VM and the physical machine.
Colin, thanks for looking into it.
I have been staring at your screenshots and reading your post and couldn't quite understand it.
Here is my situation:
A- Box "store encrypted files in decrypted state" unticked
- Backup and restore not-encrypted files: No issue
- Backup and restore EFS-encrypted files: No issue. Files are restored in an encrypted state, as they were originally.
B- Box "store encrypted files in decrypted state" ticked
- Backup and restore not-encrypted files: No issue
- Backup and restore EFS-encrypted files: Backup fails. Clicking ignore several times results in empty backup.
A good file backup solution needs to restore encrypted files in an decrypted state (which Acronis fails to do on my machine), but should protect the backup file with robust AES encryption (which Acronis can do). If it restores encrypted files as they are, on another machine, or on a disk where the user profile / certificate store is not exactly the original one, the user won't be able to open them, unless she has backed up, transferred and reimported the original EFS encryption key.
With an image backup of the entire system, there is little risk: the original user profile, certificate stores and the files in a encrypted state would be restored and the files could be opened as before.
OK Pat,
I'm obviously not quite on the same wavelength.
I found as you did that your action 'A' worked and 'B' had varying results. I did get an error message a couple of times but that was with the files you see named encryption and they did eventually image. When I let TI choose the name I didn't get the error message.
Now my point was, that performing your option A.2 I was able to restore (and via Windows Explorer copy and paste) the encrypted file from my virtual machine to my physical machine whereupon the file was unencrypted. Within the VM it was encrypted if restored to another folder or over the top of itself.
With the option 'B.2' I could restore the file in the VM but couldn't restore or copy it to a destination outside the VM.
Are you saying that you also have TIH encryption enabled as well? I didn't test with this option ticked, if that is what you are doing what AES level are you using?
Have you tried it using the default TIH name and see if that makes any difference?
Colin,
For the test, I don't use ATI's backup encryption at all. I don't change ATI's backup name either.
I click file backup, I tick the option in question, I select one or several encrypted files, I click backup now. And the backup fails (B2 case). So I cannot even try restore.
The log (see previous post screen capture) seem to point at access rights "access to the file is denied error code 0x00040014" when the option is ticked...
I have received an update from Customer Support, 2 months after having filed the ticket.
Only one week ago, have I received support from a level 2 technician. The first month and a half was about sending out information and refusing to close the ticket (I have gottent many of these emails...)
Anyway, the news is that this is a bug of 2011 6597. The actually helpful technician goes one saying the bug doesn't exist with 2010. It has to do with the account the TrueImageHomeService.exe daemon uses. It should use the local account account instaed of the system account.
As usual, there is a desire this will get fixed in a future build, whenever that might happen.
In the meantime, I will have to keep on using other tools that don't keep the files in an encrypted state in their backup.
Pat,
If the problem is due to TIH using the system account, what happens if you change the account used in Services to your local one?
I was wondering if I could do that. I know how to do it from services.msc, but I didn't find that particular service. Do you know of a way to change the setting?
As far as I know, TI uses the scheduler service to interact with the OS, so that'd be the one I'd try first.
It may well be of course that the daemon is hard coded, in which case of course it'll make no difference at all.
Update on EFS problems.
I am a newcomer to Acronis Home as of last night. I have separately posted my satisfaction with backup and restore of a TrueCrypt container file. Not the same for an EFS folder tree. I have the same problem as people above, but can add a little new info.
First, I am running Windows 7 Ultimate 32 bit, Acronis 2011, build 6696. I am logged on as a Standard user but when Acronis starts, it asks for an admin password, which I duly entered. I know that Acronis stays in admin mode because when I saved a backup log file, it was saved to the Administrator profile, not to my standard user profile.
My test was to backup an EFS encrypted folder tree. I checked the box "store encrypted files in a decrypted state." The backup failed starting with the first file.
As you can see from the log entry above, the problem was "access denied." As noted above, Acronis did have access to the Administrator account.
Randy,
The backup works if you don't select the option. You need to backup your EFS key if you rely on this backup as a file backup. If your EFS encrypted files are included in a full system disk and partion backup, you are in good shape. Such a backup would restore all the information as it was, and the EFS files will be readable.
If you use a file backup and store the files encrypted (the only option that works), you will need your EFS key backp to access the files if you restore these files on a different computer.
You would have similar problems with the native Win 7 backup.
I personally don't backup the EFS encrypted files with ATI because of this issue, I use other software for that purpose.
Thanks for your reply. I did figure that out from other, earlier posts. I was just wondering if anything had changed and Acronis had fixed this non-working "feature." Meanwhile, I get around it by frequently copying my EFS files to a TrueCrypt container file. That file is OS independent for backup and restore.
I used to use Norton Ghost but got tired (at version 12) of its little "features" that didn't work. Seems like Acronis is not much better, just different ones that don't work. Plus Ghost is much more customizable and has much better reports. You need to get a more expensive version of Acronis than Home for some of those customizing features.
The worst thing about Ghost was that incremental backups were actually slower than full backups, making this "feature" worthless. That was the number 1 reason I bought a copy of Acronis. Plus it got such great reviews.
Maybe I should have looked in this forum first. From comments I've seen here, and my own tests, Acronis seems only slightly better than Ghost 12. Almost any change in the disk shifts Acronis from incremental to full backup. That's faster than Ghost, but way slower than a true incremental backup would be. I don't know if Ghost 15 has fixed this problem.
I didn't try Ghost 15 as I am happy with the core features of ATI (imaging/restore), with Win 7 backup as a backup. For the files, I use GenieTimeline, with Syncback SE. Both support encryption, where each file is encrypted and stored separately. This avoids the risk of corrupting a bigger container. For critical and high value personal files, I use an online service in addition.
I received today an email from customer support indicating Acronis development has found the issue and will be including the fix in the upcoming 2011 update (following the 6696 release)
Great! The last build 6857 fixes the issue. It is now possible to backup EFS encrypted files in a decrypted state.
The same error happens with True Image 2013 Build 5551.
on a Windows 8 x64 EFS encrypted folder.
With an image backup of the entire system, there is little risk: the original user profile, certificate stores and the files in a encrypted state would be restored and the files could be opened as before.
This may be true in theory. It certainly worked for me when my laptop hard drive crashed recently and I did a restore (using Ghost 15) to a new hard drive in the same machine. I am not using my copy of Acronis for reasons stated above.
However, if my laptop had been stolen and I bought a new one, I might not be able to, or want to, use the old machine's image backup to overwrite the OS, OEM drivers, etc., on the new machine. All I'd want to do is restore the data files. Whether from a file backup or the system image file, I couldn't do this with encrypted files on the backup. That's why I had been hoping Acronis's feature of backing up in enencrypted format those files stored in EFS on my hard drive. As others have noted, the feature still doesn't work.
Wow I cannot believe Acronis is so reluctant having this issue resolved.
I think they are too big to consider an issue which is not so popular. A new version and same problem. We should be able to backup EFS folders unencrypted... EFS is a built-in windows feature now for everyone. Not like Truecrypt.
Hey Threedee, did you open a thread in the 2013 forum? The issue was fixed with 2012. I personally don't use EFS encrypted folders any longer, ...
No, I was not aware there were version sections, as far as the problem renews with your license every year.