Solved: Windows EFS and Enterprise Vault FSA

tmurray1 · ‎07-24-2014

Hello. Our business rules are such that we are running FSA copy and reset. We are not using placeholders, not shortcutting and the FSA agent is not loaded on the file servers. The vault store partitions are on Centera. We use Discovery Accelerator for discovery. If documents are encrypted at the time the FSA task archives the item, are they first decrypted so that they can be indexed then encrypted and placed on Centera.

Thank you.

GabeV · ‎07-25-2014

Hello tmurray1,

Enterprise Vault does archiving of EFS. However, you need to perform some additional steps (HOWTO57224):

To use FSA the Windows Encrypting File System (EFS)

Configure the Vault Service account as an EFS recovery agent for the domain.
Enable the file server and the Enterprise Vault server as remote servers for file encryption or decryption. See the following Microsoft Technet article:

http://technet.microsoft.com/en-us/library/cc757963.asp

Set up the remote server delegation as follows:

With the file server selected as the remote server, trust it for delegation to the CIFS service and the Protected Storage service on the Enterprise Vault server and the Active Directory (certification authority) server.
With the Enterprise Vault server selected as the remote server, trust it for delegation to the CIFS service and the Protected Storage service on the file server and the Active Directory (certification authority) server.

Take a look at this how-to:

Using FSA with the Windows Encrypting File System (EFS)
http://www.symantec.com/docs/HOWTO57224

I hope this helps.

View solution in original post

AndrewB · ‎07-24-2014

what do you mean by "FSA copy and reset" ? what are you using for your file servers that you're able to encrypt data with EFS and archive without the FSA agent? based on what you're telling me and the fact that you're using EFS, it would seem counterintuitive that the files would be somehow decrypted before being archived, however i also dont have enough information yet to understand you're able to archive without the agent.

tmurray1 · ‎07-24-2014

Thanks for responding. The FSA task is set to only archive files. The files remain on the file share, we are not using Internet shortcuts. Under this design, the FSA agent placeholder service is not installed on any of the file servers. We are not using EFS at this time we are only looking at how FSA will behave if we use EFS.

So it sounds like we will need to install the FSA agent placeholder service on the file share if we want to use EFS?

AndrewB · ‎07-24-2014

perhaps if the EV service account has access to decrypt the EFS (i dont know exactly how it works but you probably have a key store in AD) then it might work they way you suggest if you have the EV agent in place running with the service account.

i think your best bet would be to create a test policy on a folder with EFS and test it out to see how it behaves in your environment.

GabeV · ‎07-25-2014