Last Modified: 12/07/2012
There are three categories of encryption keys in Endpoint Encryption Files and Folders (EEFF) 4.x. All keys are 256 bits long and use the Advanced Encryption Standard (AES) algorithm. All keys can be referenced in an encryption policy to be used to encrypt objects:
Centrally Managed Encryption Keys
These keys are generated and managed centrally in ePolicy Orchestrator (ePO). They are assigned to users and user groups using the Grant Key policies. Consequently, these keys are shared among users as dictated by the Key Grant policies and users can have access to several keys. The keys are transferred securely to the EEFF client when requested by the users. Only users that are allowed access with a Grant Key policy can get the corresponding keys.
User Personal Keys
These keys are generated and managed centrally in ePO. They are generated at the time a user requests it from ePO. The User Personal Key is unique (personal) to each user and there is one User Personal Key created for each user that requests it. Thus, data encrypted with the User Personal Key cannot be read by others or shared with others since the key is unique to one user and only assigned to that user. However, the Key Administrator can locate a User Personal Key in ePO and if needed change its attribute to be a generally available key. The Key Administrator can then assign additional users to that specific User Personal Key. This is a typical use case when a User Personal Key is used as Recovery Key for Endpoint Encryption for Removable Media (EERM). By granting an Auditor or Forensics Agent access to a user’s User Personal Key (assuming the EERM policy states this is the Recovery key), it is possible to read data off that user’s removable devices. Make sure not to confuse User Personal Keys with the next key type: User Local Keys.
User Local Keys
User Local Keys are keys that the users create locally on their own. In order to share data encrypted with a User Local Key, the key has to be manually exchanged between users via an export/import operation in the EEFF client. There is no central management or control over User Local Keys in McAfee ePO. The only link to ePO is a recovery key that will allow users to recover their User Local Keys in the case they forget the password for the local keys. User Local Key is a policy controlled feature and each operation is enabled/disabled in the user’s policy. For example, the ability to share keys via export/import or even to generate User Local Keys in the first place.