Ntbackup and EFS - unencrypt before backup???

[Jerry Baker]

I have a nightly backup operation that backs up my email. The directory
containing my email is encrypted via EFS. When ntbackup runs, it stores
the files in the BKF archive in their encrypted format. This makes it
impossible to compress the backup (encrypted data is essentially random
data which doesn't compress). Is there some way to make ntbackup store
the files unencrypted other than having to unencrypt, backup, then
re-encrypt a gigabyte of data every night?

 

[Guest]

Hey Jerry,

First realize that EFS is a NTFS file system attribute. You cannot compress
and encrypt your files at the same time. I would suggest that you run the
2003 version of cipher.exe in a script to decrypt the files before backing
the files up and then re-encrypting them (you can get cipher.exe from the
download site). For this to work run the script and cipher running under a
context that has access to the EFS Public\Private key. Normally this is a
user and the certificate and private key is held in their profile. (See
article on DPAPI 309408). You could however import the certificate (public
key) and private key into the Local Machine personal store if you want to the
script to run under the Local System context. Naturally you have to be a
Local Admin to do this. Hope this helps.

Coleman Craig
Microsoft Support

 

[Jerry Baker]

First, let me thank you for your response. I do not want to compress the
backup using the NTFS compress attribute. It is a very inefficient
compression algorithm. I want to compress the BKF file using 7-zip. The
problem is that the files are stored inside the BKF as cipher data.
Cipher data cannot be compressed. I wanted to be able to tell ntbackup
to unencrypt the file stream as it was using shadow copy to create the
backup. Unencrypted and re-encrypting a gigabyte of data every night
scares me. The whole backup process got started becaust the $bitmap on
my D: drive got corrupted and I lost a lot of files. I suspect that the
cause was EFS, but I have no way to recreate the problem.

On a side note, I have a lot of those files still. They still exist in
their encrypted state, but NTFS does not recognize them as encrypted so
they are just gibberish. I don't know how to "reset" the flag that
causes NTFS to know that these files are encrypted.