diff --git a/Signal/src/Profiles/OWSProfileManager.m b/Signal/src/Profiles/OWSProfileManager.m
index 57bdbf215..cc0737759 100644
--- a/Signal/src/Profiles/OWSProfileManager.m
+++ b/Signal/src/Profiles/OWSProfileManager.m
@@ -11,6 +11,7 @@
 #import <SignalServiceKit/NSData+hexString.h>
 #import <SignalServiceKit/NSDate+OWS.h>
 #import <SignalServiceKit/NSNotificationCenter+OWS.h>
+#import <SignalServiceKit/OWSFileSystem.h>
 #import <SignalServiceKit/OWSMessageSender.h>
 #import <SignalServiceKit/OWSRequestBuilder.h>
 #import <SignalServiceKit/SecurityUtils.h>
@@ -1408,6 +1409,8 @@ const NSUInteger kOWSProfileManager_MaxAvatarDiameter = 640;
                 DDLogError(@"Failed to create profile avatars directory: %@", error);
             }
         }
+
+        [OWSFileSystem protectFolderAtPath:profileAvatarsDirPath];
     });
     return profileAvatarsDirPath;
 }
diff --git a/Signal/src/Signal-Bridging-Header.h b/Signal/src/Signal-Bridging-Header.h
index 54e1bec47..9b955a4b6 100644
--- a/Signal/src/Signal-Bridging-Header.h
+++ b/Signal/src/Signal-Bridging-Header.h
@@ -77,6 +77,7 @@
 #import <SignalServiceKit/OWSDispatch.h>
 #import <SignalServiceKit/OWSEndSessionMessage.h>
 #import <SignalServiceKit/OWSError.h>
+#import <SignalServiceKit/OWSFileSystem.h>
 #import <SignalServiceKit/OWSGetMessagesRequest.h>
 #import <SignalServiceKit/OWSGetProfileRequest.h>
 #import <SignalServiceKit/OWSIdentityManager.h>
diff --git a/Signal/src/network/GiphyDownloader.swift b/Signal/src/network/GiphyDownloader.swift
index 4ec87f95d..a867a729c 100644
--- a/Signal/src/network/GiphyDownloader.swift
+++ b/Signal/src/network/GiphyDownloader.swift
@@ -842,6 +842,9 @@ extension URLSessionTask {
                                                 attributes:nil)
                 gifFolderPath = dirPath
             }
+
+            // Don't back up Giphy downloads.
+            OWSFileSystem.protectFolder(atPath:dirPath)
         } catch let error as NSError {
             owsFail("\(GiphyAsset.TAG) ensureTempFolder failed: \(dirPath), \(error)")
             gifFolderPath = tempDirPath
diff --git a/SignalServiceKit/src/Messages/Attachments/TSAttachmentStream.m b/SignalServiceKit/src/Messages/Attachments/TSAttachmentStream.m
index 7f7fa85db..96d04d21b 100644
--- a/SignalServiceKit/src/Messages/Attachments/TSAttachmentStream.m
+++ b/SignalServiceKit/src/Messages/Attachments/TSAttachmentStream.m
@@ -5,6 +5,7 @@
 #import "TSAttachmentStream.h"
 #import "MIMETypeUtil.h"
 #import "NSData+Image.h"
+#import "OWSFileSystem.h"
 #import "TSAttachmentPointer.h"
 #import <AVFoundation/AVFoundation.h>
 #import <ImageIO/ImageIO.h>
@@ -204,6 +205,8 @@ NS_ASSUME_NONNULL_BEGIN
                 DDLogError(@"Failed to create attachments directory: %@", error);
             }
         }
+
+        [OWSFileSystem protectFolderAtPath:attachmentsFolder];
     });
     return attachmentsFolder;
 }
diff --git a/SignalServiceKit/src/Storage/TSStorageManager.h b/SignalServiceKit/src/Storage/TSStorageManager.h
index 0dbd4ad4a..b8e5f0007 100644
--- a/SignalServiceKit/src/Storage/TSStorageManager.h
+++ b/SignalServiceKit/src/Storage/TSStorageManager.h
@@ -63,6 +63,10 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nullable, nonatomic, readonly) YapDatabaseConnection *dbReadConnection;
 @property (nullable, nonatomic, readonly) YapDatabaseConnection *dbReadWriteConnection;
 
+#pragma mark - Utilities
+
+- (void)protectFolderAtPath:(NSString *)path;
+
 @end
 
 NS_ASSUME_NONNULL_END
diff --git a/SignalServiceKit/src/Storage/TSStorageManager.m b/SignalServiceKit/src/Storage/TSStorageManager.m
index ae151d6f3..69bee8272 100644
--- a/SignalServiceKit/src/Storage/TSStorageManager.m
+++ b/SignalServiceKit/src/Storage/TSStorageManager.m
@@ -5,10 +5,13 @@
 #import "TSStorageManager.h"
 #import "NSData+Base64.h"
 #import "OWSAnalytics.h"
+#import "OWSBatchMessageProcessor.h"
 #import "OWSDisappearingMessagesFinder.h"
 #import "OWSFailedAttachmentDownloadsJob.h"
 #import "OWSFailedMessagesJob.h"
+#import "OWSFileSystem.h"
 #import "OWSIncomingMessageFinder.h"
+#import "OWSMessageReceiver.h"
 #import "SignalRecipient.h"
 #import "TSAttachmentStream.h"
 #import "TSDatabaseSecondaryIndexes.h"
@@ -17,8 +20,6 @@
 #import "TSThread.h"
 #import <25519/Randomness.h>
 #import <SAMKeychain/SAMKeychain.h>
-#import <SignalServiceKit/OWSBatchMessageProcessor.h>
-#import <SignalServiceKit/OWSMessageReceiver.h>
 #import <YapDatabase/YapDatabaseRelationship.h>
 
 NS_ASSUME_NONNULL_BEGIN
@@ -349,29 +350,9 @@ void setDatabaseInitialized()
 }
 
 - (void)protectSignalFiles {
-    [self protectFolderAtPath:[TSAttachmentStream attachmentsFolder]];
-    [self protectFolderAtPath:[self dbPath]];
-    [self protectFolderAtPath:[[self dbPath] stringByAppendingString:@"-shm"]];
-    [self protectFolderAtPath:[[self dbPath] stringByAppendingString:@"-wal"]];
-}
-
-- (void)protectFolderAtPath:(NSString *)path {
-    if (![NSFileManager.defaultManager fileExistsAtPath:path]) {
-        return;
-    }
-
-    NSError *error;
-    NSDictionary *fileProtection = @{NSFileProtectionKey : NSFileProtectionCompleteUntilFirstUserAuthentication};
-    [[NSFileManager defaultManager] setAttributes:fileProtection ofItemAtPath:path error:&error];
-
-    NSDictionary *resourcesAttrs = @{ NSURLIsExcludedFromBackupKey : @YES };
-
-    NSURL *ressourceURL = [NSURL fileURLWithPath:path];
-    BOOL success        = [ressourceURL setResourceValues:resourcesAttrs error:&error];
-
-    if (error || !success) {
-        OWSProdCritical([OWSAnalyticsEvents storageErrorFileProtection]);
-    }
+    [OWSFileSystem protectFolderAtPath:[self dbPath]];
+    [OWSFileSystem protectFolderAtPath:[[self dbPath] stringByAppendingString:@"-shm"]];
+    [OWSFileSystem protectFolderAtPath:[[self dbPath] stringByAppendingString:@"-wal"]];
 }
 
 - (nullable YapDatabaseConnection *)newDatabaseConnection
diff --git a/SignalServiceKit/src/Util/OWSFileSystem.h b/SignalServiceKit/src/Util/OWSFileSystem.h
new file mode 100644
index 000000000..3eae177bb
--- /dev/null
+++ b/SignalServiceKit/src/Util/OWSFileSystem.h
@@ -0,0 +1,15 @@
+//
+//  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
+//
+
+NS_ASSUME_NONNULL_BEGIN
+
+@interface OWSFileSystem : NSObject
+
+- (instancetype)init NS_UNAVAILABLE;
+
++ (void)protectFolderAtPath:(NSString *)path;
+
+@end
+
+NS_ASSUME_NONNULL_END
diff --git a/SignalServiceKit/src/Util/OWSFileSystem.m b/SignalServiceKit/src/Util/OWSFileSystem.m
new file mode 100644
index 000000000..6e69eb0e2
--- /dev/null
+++ b/SignalServiceKit/src/Util/OWSFileSystem.m
@@ -0,0 +1,33 @@
+//
+//  Copyright (c) 2017 Open Whisper Systems. All rights reserved.
+//
+
+#import "OWSFileSystem.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@implementation OWSFileSystem
+
++ (void)protectFolderAtPath:(NSString *)path
+{
+    if (![NSFileManager.defaultManager fileExistsAtPath:path]) {
+        return;
+    }
+
+    NSError *error;
+    NSDictionary *fileProtection = @{ NSFileProtectionKey : NSFileProtectionCompleteUntilFirstUserAuthentication };
+    [[NSFileManager defaultManager] setAttributes:fileProtection ofItemAtPath:path error:&error];
+
+    NSDictionary *resourcesAttrs = @{ NSURLIsExcludedFromBackupKey : @YES };
+
+    NSURL *ressourceURL = [NSURL fileURLWithPath:path];
+    BOOL success = [ressourceURL setResourceValues:resourcesAttrs error:&error];
+
+    if (error || !success) {
+        OWSProdCritical([OWSAnalyticsEvents storageErrorFileProtection]);
+    }
+}
+
+@end
+
+NS_ASSUME_NONNULL_END