Password protected and encrypted directories
I use a product on Windows that encrypts and password protects directories. It's internal behavior is not described, but I assume that when told to protect a folder (and all subfolders and files) it encrypts all contents of the folder - the directory and all subdirectories and files. If the product is installed, an attempt to access the folder results in a prompt for a password. When the password is given, all expected subdirectories and files are accesable. If the product is not installed, the folder appears to be a directory full of gibberish.
I assume an attempt to do an Acronis "Files and folders" backup results in prompt for a password. (I don't know if I've tried this.) A "Disks and partitions" backup seems to work fine, but I wonder if I'm actually getting a backup of this folder (unless I do a sector-by-sector backup ... which I don't want to do). In a full disk backup will Acronis back up files that are not pointed to by a directory? Does it even know such a file exists to be backed up?
I assume I would have to do a full disk recovery in order to test this and I don't have a spare drive handy to do that.
I haven't been able to find a description of a Windows directory so I don't really know whether this is a dumb question. I assume the this program could encrypt just the names in a directory and leave file pointers (whatever format they may be) untouched, but I doubt it.
Patrick:
Without knowing the details of how your encryption software works it is difficult to determine what to expect. However, you could do a simple experiment to find out. You can restore single files and/or directories from a Disks and Partitions backup, so try doing this to one of your encrypted directories.
Take the "Disks and Partitions" backup that you made and then restore one of your protected directories to a new location. Do not restore to the original location in order to avoid over-writing the existing protected directory. Choose "Recover Files" when restoring as opposed to "Recover Disks". Pick out one of your protected directories and restore it to a new location on the disk. Then attempt to open the recovered encrypted directory and see what happens.
Long story short - disk, files/folders with encryption will equal rubbish if you back them up - that's how encryption works. If Acronis could backup the content inside while encrypted, you can bet that a hacker could use the same method to access your data too. Yes, you can back them up and yes the backup will run and say it is successful, but NO the content of the backup will not be usable as you have just backed up the encrypted data.
I'm afraid you misunderstood me. I don't want the folder decrypted. Just the opposite. I want to be able to back it up and restore and it encrypted. I have the appropriate encryption/decryption software to handle the files and directories. But can Acronis even find the files with a decrypted hierarchy of directories? I assume it cannot unless I do a sector by sector backup of the disk, but I would like that confirmed.
Patrick, I would agree with Mark in his update above, the only way to see what is really happening when Acronis encounters your encrypted folders / files, is to test this by making a backup of a small folder with a couple of files, then restore this to a different location then see whether the data contained in the encrypted folder has been preserved with total integrity and can be accessed via the encrypting program to unlock and see the data.
The key issue with accessing encrypted data is how that data is presented, i.e. it can contain strings of data in its encrypted form which might look like something totally different on a normal unencrypted disk and thus prompt Acronis to handle the data differently.
I do not think that doing a sector by sector backup would help here either, as this again depends on the sector contents being identified as being valid data which may not show as such due to the encryption present.
I would recommend opening a support case directly with Acronis for this question as they should be able to give you a definitive answer to the question, we are really just guessing here.
Long story short - disk, files/folders with encryption will equal rubbish if you back them up - that's how encryption works. If Acronis could backup the content inside while encrypted, you can bet that a hacker could use the same method to access your data too. Yes, you can back them up and yes the backup will run and say it is successful, but NO the content of the backup will not be usable as you have just backed up the encrypted data.
I'm afraid you misunderstood me. I don't want the folder decrypted. Just the opposite. I want to be able to back it up and restore and it encrypted. I have the appropriate encryption/decryption software to handle the files and directories. But can Acronis even find the files with a decrypted hierarchy of directories? I assume it cannot unless I do a sector by sector backup of the disk, but I would like that confirmed.
nope, I understood. If your directory is encrypted when a backup is run, 99.9% sure you will have no recoverable data in the backup that relates to that encrypted location. If the folder is unlocked - essentially decrypted, you're good. If it's encrypted or locked, don't bet on it... especially not at the file folder level.
now, I have used hard drive clone docks to duplicate exact disks that were encrypted and those did work after the process, but Acronis doesn't support even sector by sector offline disk clones or backups... I think it's because they change the partition scheme and that's a sure way to cause issues as most full disk encryption requires every bit to be exactly the same as the original and moving the MSR and resizing it is a problem.
let us know about your tests, but I'm pretty sure I already know your answer if the content is encrypted at the time of backup.
Well, I did some testing on an old backup/test PC and confirmed some of the dire predictions stated in this thread. I tried doing a "Files and folders" recovery from a "Disks and partitions" backup. (I wouldn't have expected that to work, but I tried anyway.) 5 files - corresponding to the 5 high level directories of the encrypted folder were restored with name "con.xYz" where xYz was 3-5 characters with one cap and the rest lower case. My guess is that the namess weren't really encrypted but were munged in some simpler way. Bit it doesn't matter much. Clicking on them resulted in an "Invalid file handle" popup. I was able to delete them with
rd \\.\<file name> /S /Q but obviously could do nothing else.
I could try a disk recovery but, since I don't have a spare drive, I'll probably achieve nothing beyond destroying the encrypted folder.
The encryption program has an export function which produces a structure with decrypted (or unmunged) directories but encrypted files. But it took over 4 hours to export about 7 GB of data - 55 subdirectories and about 32,000 files. I think it must have decrypted the whole structure and then reencrypted every file individually. The resulting structure probably could be successfully backed up and restored, but the export process takes too long for a daily backup. I'll have to figure out some other scheme.
Patrick, thanks for the latest feedback / update with your results of testing even though this was not as you were wishing.
I guess the question here is what are you trying to protect against? You can already encrypt your backup images with strong encryption using a complex password within ATIH, but if you are wanting to encrypt individual folders on your computer then that is only protection provided your physical security to the computer is of equal strength, i.e. if you have these folders unlocked and walk away from the computer for a few minutes, then they are at risk. The same would apply to whole disk encryption by such as BitLocker when that is unlocked for normal daily use.
There are options that use a USB stick as a security dongle that may be applicable, i.e. access is only possible when the USB dongle is connected - so you remove it when leaving the computer. OK so long as you don't forget when you go for coffee!
I guess the question here is what are you trying to protect against?
I've been wondering about that, too. In the past it was protecting stuff on a multi-user PC. Just private stuff that I didn't particularly want to share. No high security needed - just protection from prying eys. Password protection would be enough except for access to the data on a backup. That's less of an issue now, but I've never undone the configuration. Things like Bitlocker would be a fine solution if I could justify wasting a whole disk for 8GB of data. I have thought about partitioning the drive and Bitlocking the partition.
You can already encrypt your backup images with strong encryption using a complex password within ATIH, but if you are wanting to encrypt individual folders on your computer then that is only protection provided your physical security to the computer is of equal strength, i.e. if you have these folders unlocked and walk away from the computer for a few minutes, then they are at risk. The same would apply to whole disk encryption by such as BitLocker when that is unlocked for normal daily use.
I don't worry too much about walking away from the computer and having someone else using it. The PC is my personal PC at home. And the soflware has an inactivity timeout lock (which I've never used) and a lock-on-sleep/hibernate which I do use.
There are options that use a USB stick as a security dongle that may be applicable, i.e. access is only possible when the USB dongle is connected - so you remove it when leaving the computer. OK so long as you don't forget when you go for coffee!
Hmm. I'll look into that. I didn't know it exeisted. (Of course, if I got that route I'll immediately break or loose the dongle. :-) )
By the way, the so far unnamed software I use is Everstrike's Protect Folder. I've been very happy with it, but there has been no development for 5 years so I should probably look for a different solution.