I'll start off with the assurance that I have all the EFS certs safely in hand, and that is not what I'm asking about below. Assume I have that part taken care of.
I'm trying to backup a some mixed (EFS 10% /nonEFS 90%) files, but want to keep the EFS files encrypted so the backup is not a single point of failure. I found the robocopy /EFSRAW switch, but was hoping there was an archiver (tar, pkzip, winrar) that could do the same type of operation.
I imagine there is some meta-data associated with EFS files beyond just their certificate. This is likely an EFS like ACL of some sort, as best I can determine. So the fact that robocopy can pull this off on an NTFS to NTFS clone seems to imply that it's possible. An archiver would need to account for the EFS-ACL and keep track.
Here's a list of workarounds available and why they aren't what I'm after:
- Archive in unencrypted format - Bad since the archive could be lost with all the secrets in it.
- Just encrypt whole archive - Bad because 90% of my files don't need this, only the ones with the EFS attribute.
- Transcode EFS encryption to GPG encryption - Fair, but seems a lot of kluge and hackish.
- Robocopy files to a VHD then compress it - OK, but single-file extractions would require the whole VHD to be blown up.
Not sure how popular EFS is, but I love it, and wish it had more tooling and support.
Thoughts on a solution, since I think my previous attempts fall short.
