Laptop Backup: Backup Dedupe and Encryption

We often get asked about how Copiun deduplication works with the various forms of encryption technologies that are prevalent on the enterprise laptops or desktops, so I decided to write a post about it. This post is part of an overall series on backup deduplication and PC or laptop backup which can be accessed here.

As a refresher, there are 3 types of encryption technologies on Windows based laptops:

a)   Drive level: e.g. BitLocker, McAfee Safeboot, Credant etc.  These technologies encrypt the laptop hard drive in such a way that requires a correct password to be entered before the PC will even boot. Accessing the hard drive directly by attaching it to another system doesn’t work because all data is encrypted. For a comparison of various disk based encryption methods, see here.

b)   Encrypted File System: In this technology, one or more files or folders on a user’s PC are encrypted with a user’s certificate, such that only that user can access their data.  This means that even the system administrator can not access the user’s data.  The user on the other hand can access their EFS encrypted data directly as if they were accessing unencrypted data – as long as they are logged in with their credentials.

c)    Password protected files: The 3^rd part of the encryption is when someone sets a document level password, e.g. in a word or excel file. The document is then stored encrypted using the password and even the user must enter their password every time when they open the document. See here for instructions.

Copiun can backup all 3 types of data without any issues. The deduplication efficiency varies with the encryption type. As much as possible, Copiun performs object based deduplication which requires Copiun software to be able to read the document in its native format.  If the software cannot read the file in its native format, then the software falls back to less efficient deduplication methods like file or block level deduplication.

a)   For Drive level and EFS encryption: Full deduplication efficiency: since Copiun runs as the user itself, it can read the encrypted data in its original format (i.e. un-encrypted) and as a result is able to achieve full deduplication efficiency for both drive level and EFS encryption.

b)   Password protected files: for password protected files, Copiun provides block and file-level deduplication, because it doesn’t have access to un-encrypted data without the document level password.

Many laptop backup products which run as a Windows service, cannot perform block deduplication for files and folders protected with Windows EFS encryption. This is because only the user whose certificate was used for backup can read EFS files in their native format and administrator or local system accounts don’t have access to those files. This means that if a document is stored on one machine in an EFS folder, chances are you won’t be able to find duplicate copies of that document on other machines.  As you evaluate different solutions for laptop backup, make sure you understand the user account under which backups are performed so you can understand the deduplication efficiency you’re likely to get.