VMware Cloud Community
C_Hofer
Contributor
Contributor
‎02-10-2020 08:49 AM

Bug in ESX 6.5? Data loss when using EFS after switching Windows Server version and VM version

Dear vmware-Support,

are there any known problems using Encrypting File System (EFS) with Windows Server 2016 on ESX 6.5?

We have been using EFS for years on Windows Server 2008 without any problems.

Four weeks ago, due to EOS of Server 2008, we moved everything (including the EFS-enabled production datastore = VMDK file) to another existing VM which is running Server 2016.

The VM versions involved are v8 for Server 2008 and v13 for Server 2016. We're running ESXi 6.5.0 (7388607) on a ProLiant DL380 Gen10.

The symptom that I can see from within Server 2016 by using a low-level disk viewer is that the disk sectors that were previously holding the encrypted data of the affected files are now holding binary zeroes (0x00). However, the file system entries of the affected files are intact (file size, location of file content on disk, modified dates, attributes, etc.). When we try to open such a file, it is empty.

Some of the affected files were not changed for years (mostly JPG files) while some other affected files were created (or edited) after our migration to Server 2016 (mostly XLS files).

Additionally, I have found out that the provisioning type of the VMDK has changed in the process of remounting it - from "eager-zeroed" to "thin" and therefore the VMDK had 100GB less in size than before.

However, after we have dismounted and inflated the VMDK (now showing "eager-zeroed"), the problem did NOT disappear, i.e. we still have data loss sometimes when saving new files or editing existing files!

We are also working a lot with unencrypted documents on the same VMDK and did not have any problems with those files so far.

You can find a detailed explanation about the EFS encryption process here (direct link to book page) :

Windows Internals - David A. Solomon, Mark E. Russinovich, Alex Ionescu - Google Books

Best regards,

Christian

0 Kudos
1 Reply
C_Hofer
Contributor
Contributor
‎02-14-2020 02:53 AM

I have updated my original post to include version details:

"The VM versions involved are v8 for Server 2008 and v13 for Server 2016. We're running ESXi 6.5.0 (7388607) on a ProLiant DL380 Gen10 machine."

For those who can't see all of the pages in my link to google books, here's a copy of it:

The following list summarizes the steps EFS performs to encrypt a file

  1. The user profile is loaded if necessary.

  2. A log file is created in the System Volume Information directory with the name Efsx.log, where x is a unique number (for example, Efs0.log). As subsequent steps are performed, records are written to the log so that the file can be recovered in case the system fails during the encryption process.

  3. Base Cryptographic Provider 1.0 generates a random 128-bit FEK for the file.

  4. A user EFS private/public key pair is generated or obtained. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash identifies the user's key pair.

  5. A DDF key ring is created for the file that has an entry for the user. The entry contains a copy of the FEK that has been encrypted with the user's EFS public key.

  6. A DRF key ring is created for the file. It has an entry for each Recovery Agent on the system, with each entry containing a copy of the FEK encrypted with the agent's EFS public key.

  7. A backup file with a name in the form Efs0.tmp is created in the same directory as the file to be encrypted

  8. The DDF and DRF key rings are added to a header and augment the file as its EFS attribute.

  9. The backup file is marked as encrypted, and the original file is copied to the backup.

  10. The original file's contents are destroyed, and the backup is copied to the original. This copy operation results in the data in the original file being encrypted because the file is now marked as encrypted.

  11. The backup file is deleted.

  12. The log file is deleted.

  13. The user profile is unloaded (if it was loaded in step 1).
0 Kudos