'One or More Files Are EFS-encrypted' on File-level Backup

Situation

A file-level backup plan fails with an error message similar to below:

2021-04-05 20:25:53,818 [SERV] [1] WARN - One or more files are EFS-encrypted

When examining the History tab of the Backup application, file upload failure records can be seen for the backup plan in question, indicating that “the backup files are encrypted”:

Cause

The files intended for backup are encrypted with Windows-native EFS (Encrypting File System) protocol and the service account currently in use by the Backup application does not have access permissions to those files.

Note: In some cases, it is also possible that the files with the “backup file is encrypted” warning are encrypted with neither EFS nor MSP360-provided encryption methods (see step 4 for more details).

Solution

  1. The EFS-encrypted files are usually identifiable by a small “lock” pictogram on top of their regular icon. Check the properties of the files that failed to be backed up. Press the “Advanced” button on the properties window to investigate if the option to “Encrypt contents to secure data” is enabled for the file. This is an indicator of EFS encryption:

  1. Additionally, check the “Security” and “Details” tabs in order to clarify which Windows users or groups have access to the file. Usually, the owner of the file has “Full control” permissions for it. The “Security” tab shows more granular information on this matter:

This information is necessary to determine which Windows user account is required in order to back the file up.

  1. Open the MSP360 Backup application and start the Backup Service under the Windows account that has at least “Read” and “Write” permissions for the previously failed objects. In most cases, it is a local administrator account of the machine. In the case of Active Directory domain controllers, usually, a domain administrator has the broadest permissions.

Should you decide to use the local administrator account (our recommendation), proceed to “Tools” -> “Change Service Account”, enter the local administrator account name and password, and click “OK”:

The Backup Service will be restarted automatically. Once it’s done, run the backup plan again.

In case it is not possible to use the local or domain administrator accounts and you have to stay on the default SYSTEM account (as the Backup Service account), please consider the suggestions made in this article.

  1. The MSP360 software products use our own proprietary data encryption methods based on proven algorithms in order to provide client-side encryption. As noted above, backing up the EFS-encrypted objects is possible under the service account with the permissions necessary to access the file.

However, if the objects are encrypted with third-party tools (i.e. anything except the encryption methods mentioned in this article) or natively encrypted with tools of another operating system (Linux-family OS, macOS), the MSP360 Backup software won’t be able to access and back up such objects.

In order to resolve such situations, ensure that the third-party-encrypted objects are either decrypted before they are attempted to be backed up (if they are critical) or excluded from the backup plan (if they are not critical).

https://git.cloudberrylab.com/egor.m/doc-help-kb.git