in message
hi,
I think that there is no solution to my problem. However, I would like
to warn other users. here is what happened to me:
1/
- HDD partitionned in two: C: and D:, the first bearing system and al
SW, the latter bearing all data.
- C: ghosted in case I need recovery
2/ one forlder with sensitive data encrypted on D: after C was ghosted
3/ XP becomes unstable and I retrieved C: for the ghost image
4/ as a result access denied to all my encrypted files
Of course, in a way (windows way?) this is logical. It is a pity that
I had not the idea to encrypt before ghosting (or saved the keys after
ghosting)
Hope this will help others to fool themself
Sounds more like you don't know the difference between a logical and
physical partition image.
Logical file images read through the file system to save files which are
collated into an "image" file. It really isn't an image but instead
just another method to do logical file backups. Hopefully your ghosting
app that saves these logical image files knows how to use the Volume
Shadow Service (VSS) so inuse files can be read and a static set of
files is saved so they are all in sync with each other. Acronis
TrueImage Home reads through the file system so what it saves are
logical images, plus TI Home does *not* support VSS so there are
problems saving inuse or locked files. When restoring this logical file
image, the OS doesn't exist yet (because it, too, is being restored) so
it can't be used to read the encrypted files in the "image" file. The
EFS certificate hasn't been restore yet into the OS and is another
reason the encrypted files cannot be read from the "image" file. Norton
Ghost defaults to saving logical images so you'll run into the same
problem using that product. You have to use a switch to tell Ghost to
do a *physical* partition image.
A physical partition image reads the partition sector by sector. It
doesn't go through whatever file system is employed by whatever
operating system in that partition. It just reads sectors.
PartitionImage did physical images. It had the feature that it could
read through recognized file systems in that partition to see which
sectors were not allocated and wouldn't bother to include those in the
image file. Restoring a physical image then restores the contents of
each sector and has nothing to do with whatever OS or file system is
used in that partition. You can save the entire partition by saving all
sectors of the partition but the unused sectors are superfluous as they
won't be assigned in the file system that eventually gets used when you
start the OS in that restored partition. Since the partition was saved
sector-by-sector and restored the same way, the OS will be setup exactly
as it was before and that includes the EFS certificate. The files in
the image that were encrypted will still be encrypted - because files
weren't read from the physical image. Sector contents were read.
A physical image is the only way to get back EXACTLY what was there
before. They read and write sectors. Logical images read and write
files. Norton Ghost used to default to saving logical images unless you
specified a switch to make it save physical images (but which were as
large as the partition because it didn't skip sectors that weren't
allocated in the recognized file system). I haven't used Norton Ghost
after they replaced their engine after buying Powerquest and using their
PartitionImage engine. Acronis TrueImage lets you decide on doing
logical file backups or to save partition images; however, it looks
like their "image" file is a logical image rather than a physical one.
Because TI Home doesn't use VSS (unless you pay more for their
workstation version) so they can get a static list of files (and their
sectors) they don't require a reboot to load their backup program to
then save a static copy of the partition is why I suspect they really
don't do a physical sector-by-sector backup into an image file. In
fact, when you attempt to save a partition (rather than files), you are
offered the choice of full, incremental, or differential modes but those
don't apply if you are saving every allocated sector within a partition
for a *physical* image. The concept of a change content doesn't apply
at the sector level. Either you save the sector in its entirety or you
don't, and you can't do that if the operating system is still running in
the partition for which you want save an image (i.e., the contents of
the sectors cannot be changing).
Acronis' workstation and server versions of True Image claim that they
support sector-by-sector (physical) images but not their Home version
(which doesn't even support VSS); read
http://www.wilderssecurity.com/showthread.php?t=97549 (I have version 10
of TI Home and still see no option to force sector-by-sector copying).
Since Symantec bought Powerquest whose PartitionImage did save physical
images, maybe you need to specify an option to switch from logical to
physical images (as you had to do when using Norton's old pre-version 9
engine). I haven't tried Norton Ghost after they got PartitionImage to
know if Ghost really saves sector-by-sector (by default or option). It
looks like they save sector-by-sector (i.e., their "drive backup"
option) but include the file system so it is also possible to yank
individual files out of the image by using the saved file system to
determine which sectors are used by that file). Unless a physical
sector-by-sector image of a partition requires a reboot so that
partition is guaranted to be in stasis, I wouldn't trust the image to
restore exactly what was there before.
Logical images might get back a partition that is just as usable (or
unusable) as before but a file-by-file restore is not the same as a
sector-by-sector restore, as you noticed when the EFS certificate wasn't
available in the yet-to-be-restored operating system to decrypt the
files that are *read* from that image (rather than retrieve the sectors
for them).
Look at using TrueCrypt if you want encrypted files (files within the
encrypted volume) to survive a logical image restore. EFS encrypted
files will survive a physical image restore.
