Re: File Encryption : how I tricked myself
- From: "Vanguard" <no@xxxxxxxxxxxx>
- Date: Sat, 14 Jul 2007 14:24:31 -0500
"PhilEthicus" wrote in message news:1184418162.877855.126490@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hi,
I think that there is no solution to my problem. However, I would like
to warn other users. here is what happened to me:
1/
- HDD partitionned in two: C: and D:, the first bearing system and al
SW, the latter bearing all data.
- C: ghosted in case I need recovery
2/ one forlder with sensitive data encrypted on D: after C was ghosted
3/ XP becomes unstable and I retrieved C: for the ghost image
4/ as a result access denied to all my encrypted files
Of course, in a way (windows way?) this is logical. It is a pity that
I had not the idea to encrypt before ghosting (or saved the keys after
ghosting)
Hope this will help others to fool themself
Sounds more like you don't know the difference between a logical and physical partition image.
Logical file images read through the file system to save files which are collated into an "image" file. It really isn't an image but instead just another method to do logical file backups. Hopefully your ghosting app that saves these logical image files knows how to use the Volume Shadow Service (VSS) so inuse files can be read and a static set of files is saved so they are all in sync with each other. Acronis TrueImage Home reads through the file system so what it saves are logical images, plus TI Home does *not* support VSS so there are problems saving inuse or locked files. When restoring this logical file image, the OS doesn't exist yet (because it, too, is being restored) so it can't be used to read the encrypted files in the "image" file. The EFS certificate hasn't been restore yet into the OS and is another reason the encrypted files cannot be read from the "image" file. Norton Ghost defaults to saving logical images so you'll run into the same problem using that product. You have to use a switch to tell Ghost to do a *physical* partition image.
A physical partition image reads the partition sector by sector. It doesn't go through whatever file system is employed by whatever operating system in that partition. It just reads sectors. PartitionImage did physical images. It had the feature that it could read through recognized file systems in that partition to see which sectors were not allocated and wouldn't bother to include those in the image file. Restoring a physical image then restores the contents of each sector and has nothing to do with whatever OS or file system is used in that partition. You can save the entire partition by saving all sectors of the partition but the unused sectors are superfluous as they won't be assigned in the file system that eventually gets used when you start the OS in that restored partition. Since the partition was saved sector-by-sector and restored the same way, the OS will be setup exactly as it was before and that includes the EFS certificate. The files in the image that were encrypted will still be encrypted - because files weren't read from the physical image. Sector contents were read.
A physical image is the only way to get back EXACTLY what was there before. They read and write sectors. Logical images read and write files. Norton Ghost used to default to saving logical images unless you specified a switch to make it save physical images (but which were as large as the partition because it didn't skip sectors that weren't allocated in the recognized file system). I haven't used Norton Ghost after they replaced their engine after buying Powerquest and using their PartitionImage engine. Acronis TrueImage lets you decide on doing logical file backups or to save partition images; however, it looks like their "image" file is a logical image rather than a physical one. Because TI Home doesn't use VSS (unless you pay more for their workstation version) so they can get a static list of files (and their sectors) they don't require a reboot to load their backup program to then save a static copy of the partition is why I suspect they really don't do a physical sector-by-sector backup into an image file. In fact, when you attempt to save a partition (rather than files), you are offered the choice of full, incremental, or differential modes but those don't apply if you are saving every allocated sector within a partition for a *physical* image. The concept of a change content doesn't apply at the sector level. Either you save the sector in its entirety or you don't, and you can't do that if the operating system is still running in the partition for which you want save an image (i.e., the contents of the sectors cannot be changing).
Acronis' workstation and server versions of True Image claim that they support sector-by-sector (physical) images but not their Home version (which doesn't even support VSS); read http://www.wilderssecurity.com/showthread.php?t=97549 (I have version 10 of TI Home and still see no option to force sector-by-sector copying). Since Symantec bought Powerquest whose PartitionImage did save physical images, maybe you need to specify an option to switch from logical to physical images (as you had to do when using Norton's old pre-version 9 engine). I haven't tried Norton Ghost after they got PartitionImage to know if Ghost really saves sector-by-sector (by default or option). It looks like they save sector-by-sector (i.e., their "drive backup" option) but include the file system so it is also possible to yank individual files out of the image by using the saved file system to determine which sectors are used by that file). Unless a physical sector-by-sector image of a partition requires a reboot so that partition is guaranted to be in stasis, I wouldn't trust the image to restore exactly what was there before.
Logical images might get back a partition that is just as usable (or unusable) as before but a file-by-file restore is not the same as a sector-by-sector restore, as you noticed when the EFS certificate wasn't available in the yet-to-be-restored operating system to decrypt the files that are *read* from that image (rather than retrieve the sectors for them).
Look at using TrueCrypt if you want encrypted files (files within the encrypted volume) to survive a logical image restore. EFS encrypted files will survive a physical image restore.
.
- References:
- File Encryption : how I tricked myself
- From: PhilEthicus
- File Encryption : how I tricked myself
- Prev by Date: Re: deleting microsoft screensavers
- Next by Date: Re: Msconfig error
- Previous by thread: File Encryption : how I tricked myself
- Next by thread: Installing card reader
- Index(es):
Relevant Pages
|
