Skip to main content

 

Druva Documentation

Encryption File System (EFS) FAQs

Answers

Does inSync encrypt or decrypt user data?

Yes. inSync uses Encryption File System (EFS), a feature of Windows, to encrypt and decrypt data on your Windows laptops. For more information on how EFS works, see How EFS Works?

What does Druva recommend on encryption with EFS?

  • While enabling encryption using EFS, you must specify a data recovery agent. The data recovery agent is used to read or recover data encrypted for users who have lost their certificates.
  • You must educate users to back up their certificates and save them at a secure location.
  • If the user has lost his certificate, and if you are restoring those EFS encrypted files to the user's computer, you must restore data to a location that is different from the original location.

When you copy encrypted files on a network location do they stay encrypted?

No, the files are decrypted and saved on a network location since a network drive does not use EFS service. Check the table ahead on default encryption behavior for more information.

Under which situation would end users lose their EFS Certificate/EFS Keys?

Yes. Users can lose their private key in the following scenarios:

  • If the computer that the user is using is formatted.
  • If the operating system on the user's computer is re-installed.

In order to keep the private key safe, you must educate users to back up their user certificate. For detailed steps on how to back up the certificate, see Back up your certificate.

You must also set up EFS data recovery agent, which is used to read or recover data encrypted for users who have lost their certificates.

'I have enabled data encryption for my laptops but inSync does not encrypt them?'

The  possible causes could be one of the below:

  • EFS service may not be running on the client machine.
  • The user certificate may not be present or may be expired
  • Check the correct profile is applied to the user where you have configured encryption.
  • Check if user is inactive from the inSync Admin console.
  • The folder does not have full permissions for SYSTEM account.

If EFS certificate presented to the user is invalid or the user has lost the EFS keys, can inSync recover encrypted data?

No. inSync does not recover encrypted data if you do not have the EFS user certificate or if the user has lost the EFS keys to encrypt the data. Contact your local administrator to use recovery agent to recover data. Moreover, inSync backs up the data in an unencrypted format. Therefore, if the data becomes inaccessible due to invalid EFS keys, Druva can check the restore points for the user and restore the data. In such a case, it is ideally suggested to restore the data to a custom location. This is because if the data is restored to original location, there are chances that the restored data may get encrypted again. 

Note: Refer the following Technet article on How to recover encrypted data.

How would I come to know if the files inside the folder are encrypted?

Right-click on the target folder and go to Properties > General tab > Advanced.

Here you will see a check mark for the box “Encrypt contents to secure data”. Which means the files inside this folder are encrypted. The encrypted files will appear in green color and if the end user is on Windows 10 you would see a small lock icon appearing on the encrypted files.

Can a user B access the files encrypted by user A on the same machine?

No. Assuming the target folder is encrypted by user A’s EFS certificate, user B will not be authorized to be accessed the files. User B will require to present  EFS certificate of User A to gain access to the files.

Does inSync encrypt file automatically or uses any other source to encrypt the files?

Encryption is a Windows feature and is completely handled by the underlying OS. When encryption is enabled in inSync via Profile (DLP > Encryption), inSync sets up the flag during backup to encrypt the files after the file is backed up. This flag is entertained by the underlying OS and hence the files are encrypted.

What happens if the encryption fails? Does inSync generates any alert for this?

With inSync Cloud (v5.7) and  inSync On-Premise (v5.8), Druva has introduced Endpoint Encryption alert. In case the encryption fails, the Administrator would receive an alert email for the same. By default, all Server Administrators are subscribed to this alert.

Default encryption behavior

The below table explains the default behavior for encryption when a file is manually copied from one location to another.

Source Destination Output Remarks
Local machine Local machine (same location). Files will be in encrypted format. Provided the file system of the machine is intact and EFS service is working properly.
Local machine to different location on same drive. Files will be copied in encrypted format. Provided the file system of the machine is intact and EFS service is working properly.
Local machine to different drive. Files will be copied in encrypted format. Provided the file system of the machine is intact and EFS service is working properly.
Local machine Remote machine on the different domain. Files will be copied in decrypted format. Destination cannot retrieve user’s EFS certificates hence files are copied in decrypted format.
Remote machine on the same domain. Files will be copied in encrypted format. Since machines are on same Domain, EFS operation would impersonate the user by using Kerberos delegation to encrypt / decrypt files or folder on network share.
Local machine Removable media (NTFS format). Files will be in encrypted format but will not be accessible on other machine with same removable drive. This is because the other machine does not has user’s EFS certificate.
Removable media (FAT / FAT32). Files will not be copied. Encryption is not supported by FAT/FAT 32 file system.
Local machine Network drive. Files will be copied in decrypted format. Destination cannot retrieve user’s EFS certificates hence files are copied in decrypted format.
Outlook (local machine). Files will be attached to the outlook email decrypted. Assuming the user certificate or encryption key is valid.

For more information, see Using Encryption File System article. 

  • Was this article helpful?