locked
Backup/restore of encrypted data on laptop RRS feed

  • Question

  • I can successfully backup and restore data from/to my laptop with WHS.  However, if I restore individual files from the laptop backup to an alternate location via another PC, I just get garbage in the files.

    I'm 95% sure that this is being caused by the encryption software that is on the laptop (Credant Data Protection).  While the ability to restore files from the laptop backup back to the laptop is great and has saved my bacon a few times, I'm concerned about the ability to do a full restore in the event of a drive failure on the laptop or restore all the files in the event the laptop is lost.

    Does anyone see any possible solutions for this?

    Thanks.
    Saturday, July 11, 2009 3:32 PM

Answers

  • It's going to depend a lot on the capabilities of the encryption software. First, though, if you do a single file restore to an alternate location using the same laptop the file is on now, what happens? Can that laptop read the restored file? Can another PC? Can the laptop read the file if restored by another PC?

    Also, since the most likely restore scenario is really a failed hard drive, there's something that you might want to try:
    • Obtain another hard drive for your laptop, one at least as large as the drive in it now.
    • Connect that drive to some other computer joined to your server.
    • Run C:\Program Files\Windows Home Server\ClientRestoreWizard.exe (this is the same thing as running the Restore CD, except hosted in a full Windows environment) and restore the most recent backup of the laptop.
    • Replace the hard drive, and see if the laptop boots. Then see if you can access the encrypted files.

    I'm not on the WHS team, I just post a lot. :)
    Saturday, July 11, 2009 9:01 PM
    Moderator
  • ...
    Do the results of this first test lead you to any other suggestions for restoring files if the laptop is lost/dead?
    ...
    Not really. The goal was to more fully explore the limits of your current situation. My best guess at this point is that the encryption software you're using functions at a fairly high level in the file system filter stack, and the Windows Home Server backup functions at a lower level, so Windows Home Server backup gets the files (the clusters of data, really) in their encrypted state.
    ...
    It works, but it's killing me that it's such a sad solution. :)
    ...
    Switch to Bitlocker instead? At least then your files will be readable after a restore. They will, however, be backed up in the unencrypted state. You could also check with the software vendor about the situation. They may have suggestions or alternatives for you to try.

    I'm not on the WHS team, I just post a lot. :)
    Sunday, July 12, 2009 3:31 AM
    Moderator

All replies

  • It's going to depend a lot on the capabilities of the encryption software. First, though, if you do a single file restore to an alternate location using the same laptop the file is on now, what happens? Can that laptop read the restored file? Can another PC? Can the laptop read the file if restored by another PC?

    Also, since the most likely restore scenario is really a failed hard drive, there's something that you might want to try:
    • Obtain another hard drive for your laptop, one at least as large as the drive in it now.
    • Connect that drive to some other computer joined to your server.
    • Run C:\Program Files\Windows Home Server\ClientRestoreWizard.exe (this is the same thing as running the Restore CD, except hosted in a full Windows environment) and restore the most recent backup of the laptop.
    • Replace the hard drive, and see if the laptop boots. Then see if you can access the encrypted files.

    I'm not on the WHS team, I just post a lot. :)
    Saturday, July 11, 2009 9:01 PM
    Moderator
  • Thanks for the reply.  I tested the scenarios you asked about:

    if you do a single file restore to an alternate location using the same laptop the file is on now, what happens?

    Can that laptop read the restored file? Yes.
    Can another PC? No.
    Can the laptop read the file if restored by another PC? No.

    The laptop decrypts the files on the fly when they're copied to another location, included in an email, etc.  So, I'm guessing that they "copy" action of dragging the files from the restore window to the alternate location decrypts them.  When I copy them from the restore window to any location using another PC, the decryption doesn't take place, so neither the "other" PC nor the original laptop can read them.

    I'll work on getting another HD to test your other suggestion.  Do the results of this first test lead you to any other suggestions for restoring files if the laptop is lost/dead?

    For the time being, I've been copying the files in "my documents" over to a WHS share - these are readable to everyone since the laptop decrypts them while copying.  It works, but it's killing me that it's such a sad solution. :)

    Thanks.
    Sunday, July 12, 2009 12:20 AM
  • ...
    Do the results of this first test lead you to any other suggestions for restoring files if the laptop is lost/dead?
    ...
    Not really. The goal was to more fully explore the limits of your current situation. My best guess at this point is that the encryption software you're using functions at a fairly high level in the file system filter stack, and the Windows Home Server backup functions at a lower level, so Windows Home Server backup gets the files (the clusters of data, really) in their encrypted state.
    ...
    It works, but it's killing me that it's such a sad solution. :)
    ...
    Switch to Bitlocker instead? At least then your files will be readable after a restore. They will, however, be backed up in the unencrypted state. You could also check with the software vendor about the situation. They may have suggestions or alternatives for you to try.

    I'm not on the WHS team, I just post a lot. :)
    Sunday, July 12, 2009 3:31 AM
    Moderator
  • I finally got another HD to try in this laptop. I did a full restore to the HD using another PC, then I swapped out the existing HD in the laptop with the newly restored one. (the original was 40G, the new one was 160G)

    When fired up the laptop, I got a ERR2ERR3 on the screen and that's it.  A little googling revealed that has something to do with not being able to read a partition.

    I'm going to try restoring to the laptop with the 160G installed, using the reinstall CD and see if that works any better (hope it is faster than the first time - that was over 5 hours!)


    Monday, August 31, 2009 10:32 PM
  • Quite honestly this is one of the most insane questions I've ever heard in regards to security.  According to your scenario you are using some kind of local account or system account to back up encrypted files off of a pc.  i.e. not as an active domain user of the machine.  And you expect that you would be able to just grab individual encrypted files off of that machine, move them to some other random machine and be able to read them?!  you're actually looking to protect your data, right?  Any encryption product that would allow that process to actually work should be thrown right out the door.

    I have been a Credant customer for a few years and have been incredibly impressed with their ability to protect data against both laptop theft as well as unauthorized internal access to the data.  With that as the baseline I know exactly why you can't do what you are trying to do and exactly what the remedy is.  Rather than just trying to blindly hack around at a solution and figure it out by yourself, why don't you take 3 minutes to reach out to your Credant contact or someone in your company that is trained in the product and ask them how to do this. 

    silly...

    Saturday, October 10, 2009 5:57 PM
  • Thanks for the abuse - I should have checked with you first...silly.
    Tuesday, March 23, 2010 5:16 PM