How to recover encrypted files from Vista disk backups ?
Is it possible to recover files encrypted using Vista file encryption from Acronis backups ?
I am talking about per-file encryption achieved by setting "Encrypt Contents" attribute in Windows folder properties - not total disk encryption.
This hasn't worked for me so far.
I have the following:
- Full disk backup made by Acronis True Image Workstation 9.1 off Windows Vista
- Directory backup made from the same box with the same software.
Both backups contain few encrypted directories within them. I can browse these backups using True Image Home 2010 and True Image Workstation 9.1 on another machine and I can restore all files from them that weren't encrypted on the original computer. I cannot read/restore encrypted files from any of the two backups using any method.
I even converted TrueImage disk backup (.tib file) into VMWare disk, thus effectively virtualizing the original machine. VMWare boots up this disk without problems and I have fully working copy of the original system as virtual Vista box, into which I can log in as original Windows user, however I still cannot access encrypted folders within this virtual machine.
It looks like there are two possible points of failure -
a) Acronis doesn't correctly back up files encrypted by Vista.
b) Vista no longer trusts user credentials after sensing that it's been moved to a different hardware.
I have the original physical machine, but it has been reformatted since backup was made, so I can only work with these backups on different computers. The questions I have are:
- Was anyone able to recover Vista-encrypted files (on the same or another machine) ?
- Do any tools exist (not necessarily Acronis) that can decrypt Vista files based on their raw encrypted contents and security keys from the original Windows ?
Thanks for any pointers.
Thanks. I already arrived to Elcomsoft Advanced EFS Data Recovery (AEFSDR) myself.
I installed it into VM and because I knew the original user password, it was able to decipher EFS keys found in disk image and recovered 100% of all encrypted files.
Apparently, the problem was with Microsoft EFS (Encrypting File System) and has little to do with Acronis. I learned a great deal about EFS while trying to solve this. When you move the filesystem with encrypted files to a different hardware, Windows no longer considers you a legitimate owner, and refuses to decrypt those files for you, even though you authenticate yourself with valid password, and the actual encryption keys are still present in the system and are decipherable and usable. In other words, Microsoft OS has full ability to decrypt those files in this case, but they choose to refuse to do so, which is insane if you ask me and is merely a security through obscurity. It's the same as Adobe's password protection of PDF files, which is easily bypassed by non-Adobe software such as GhostScript.
Lessons learned - EFS is (kind of) evil, and file encryption and backups don't mix. Oh, and thanks to ElcomSoft for solving the problem.
As far as Acronis is concerned, technically it's not their fault, however the value of Acronis software would be higher if it detected encrypted files when doing backups and then at least warned about possibility of data loss, and at most offered to decipher the data. Data loss is the one of the worst things that can happen to any IT business, and any technology which contributes to that (whether by action or by non-action) is perceived as unreliable.
Dear Bert and Seekforever!
Thank you for your comments! Many thanks to Seekforever for kind assistance.
Dear Bert, thank you for your comments and understanding. We actually really have some compatibility issues with encryption of data. You can find all the information about it in this KB article.
Currently we're working on a workaround for this issue, and I must say we really appreciate your loyalty and understanding.
I'd also like to thank you for your comment regarding encryption warning - this is a very reasonable feature. I have already forwarded your suggestion to the Product Managent and Development team. They will definitely take it under consideration and check whether there's any possibility to implement this feature to future rleases.
Should you have any further questions or suggestions - please, don't hesitate to share them with us, we'll be glad to address every comment!
Thank you!