Does Norton Cloud Backup work with Bitlocker and/or EFS

I spent hours watching support try to figure out why my backup was failing only to discover on my own that several folders had EFS enabled on them. It seems Norton Backup does not support files or folders that have EFS implemented. I don’t know if first level support knows what this is. Removing EFS from the suspect folders allowed the backup to complete successfully. 
I called them back today and asked if Norton Backup works with Bitlocker. They told me, “yes”, but everything I’ve read leads me to believe otherwise. I don’t want to go turn on drive level encryption if I’m just going to run into more problems.

Can anyone confirm definitively if either of these encryption methods is designed to work with Norton Backup?

TIA
 

I ran a test and used Bitlocker to encrypt a USB drive. Then created a backup set to backup the encrypted drive. The backup succeeded. I then turned on Bitlocker on my system drive and the backup succeeded! I can conclude from this that EFS does NOT work with Norton Backup, but Bitlocker does (even if the files are unencrypted by Bitlocker, they are re-encrypted by Norton on the server side, so I’ve been told).

This puts the question of what works to rest.

The follow up question then is will Norton Backup copy files corrupted by ransomware to a perfectly healthy backup set? If it doesn’t work with EFS, will it also not work with files encrypted by ransomware? Now that is a test I am not willing to try, but it is probably worth understanding. If ransomware encrypted files can invade a backup set, there probably needs to be a way to protect the backup sets in order to avoid this. The scenario I imagine is the file system is compromised and then the ransomware initiates a backup and copies all of the corrupted files into the respective backup set, thus corrupting it as well. It would be interesting to know if Norton will reject an encrypted file. It certainly doesn’t like EFS.
 

It probably makes sense to confirm this along with a way to avoid the deletion of a backup set with just the click of a button. How about a password protected process to prevent unwanted deletions. There’s already a feature to password protect administrative features. Why not extend this feature to require the same password to delete a backup data set?

 

With TPM, the default is for Bitlocker to unlock when you sign in to the operating system.  Because it is unlocked the drive will be unencrypted and you should be able to backup any files, although the backup will also be unencrypted.  I know this is documented for Macrium Reflect, but it should be true of any backup solution.

Re: TPM - it seems it’s an integral part of Bitlocker, so not sure how Bitlocker runs without it.

”TPM hardware provides a tamper-resistant way to store encryption keys on a computer. On Windows 11, 10, 8, and 7, a TPM is normally required to enable and use encryption features like BitLocker. Here's how to check whether your PC has a TPM chip, enable your TPM if it's disabled, or add a TPM chip to a PC without one.”

https://www.howtogeek.com/287737/how-to-check-if-your-computer-has-a-trusted-platform-module-tpm-chip/

The reason for my choice of EFS over Bitlocker, I only have two folders that I consider sensitive enough to want to encrypt them vs. implement encryption across the whole volume.

I appreciate your initial feedback.

I have reproduced the problem on Windows 10 Pro (x64). Using the same file, set the file property to encrypted (ESF implemented) on the file. Backup fails.  Turn off encryption (ESF removed from file property), backup works fine. 
 

It seems to me it shouldn’t require users to run experiments on this software for stuff like Bitlocker and ESF just to see if it works. As wide-spread these encryption methods are used, they both should be well documented and understood by first level support. 

A couple of basic questions are, What OS do you have installed, does your system have TPM and is it enabled? EFS cannot use TPM therefore if you are using Windows 11 EFS isn't possible to use with Norton. EFS is pain staking in that it is a laborious process to encrypt each file/folder. If you have full drive encryption aka Bitlocker enabled the files SHOULD backup with Norton although, they will not have extensions. Please note that I HAVE NOT performed this scenario to validate. Of note, you will most definitely need to backup your BL recovery key.

https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d

Lets ask for an Admin / team member to validate. @Gayathri_R

 

SA