Pains with EFS and Network Destinations

A few months ago, I have blogged about an annoying anomaly in the handling of EFS-encrypted files. My case was that copying fails for an EFS-encrypted file to a location where it cannot be encrypted by the source system (e.g. a file share). My colleague Helge Klein has apparently uncovered the cause: CopyFile(Ex).

Although his motivation for the article is the fact that an EFS-encrypted file is alwas copied unencrypted over the network, he describes that CopyFileEx accepts a flag to copy to a destination where the file cannot be encrypted and remains unencrypted (COPY_FILE_ALLOW_DECRYPTED_DESTINATION).

In my case this means that the authors of many backup tools do not seems aware of the existence of this flag. And I have tested at least a dozen of them.

My late article contains a plea to Microsoft to solve this issue. But I must admit that the plea should also go out to the developers of backup tools to include an configurable option to force CopyFileEx to allow for unencrypted files in the destination directory.

Pretty please … with sugar on top!

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.