Knowledge Center

Encryption key types in Endpoint Encryption for Files and Folders and File and Removable Media Protection
Technical Articles ID:   KB72668
Last Modified:  2/3/2016


McAfee Endpoint Encryption for Files and Folders (EEFF) 4.2.x
McAfee File and Removable Media Protection (FRP) 5.x, 4.3.x


There are three categories of encryption keys in EEFF/FRP. All keys are 256 bits long and use the Advanced Encryption Standard (AES) algorithm. All keys can be referenced in an encryption policy to be used to encrypt objects:
Centrally Managed Encryption Keys
These keys are generated and managed centrally in ePolicy Orchestrator (ePO). They are assigned to users and user groups using the Grant Key policies. Consequently, these keys are shared among users as dictated by the Key Grant policies and users can have access to several keys. The keys are transferred securely to the EEFF/FRP client when requested by the users. Only users that are allowed access with a Grant Key policy can get the corresponding keys.
User Personal Keys
These keys are generated and managed centrally in ePO. They are generated at the time a user requests one from ePO. The User Personal Key is unique (personal) to each user and there is one User Personal Key created for each user that requests it. Thus, data encrypted with the User Personal Key cannot be read by others or shared with others because the key is unique to one user and assigned only to that user. However, the Key Administrator can locate a User Personal Key in ePO, and if needed, change its attribute to be a generally available key. The Key Administrator can then assign additional users to that specific User Personal Key. This is a typical use case when a User Personal Key is used as Recovery Key for Removable Media Protection functionality. By granting an Auditor or Forensics Agent access to a user’s User Personal Key (assuming the Removable Media Protection policy states this is the Recovery key), it is possible to read data off that user’s removable devices. Do not confuse User Personal Keys with User Local Keys.
User Local Keys
User Local Keys are keys that the users create locally on their own. To share data encrypted with a User Local Key, the key has to be manually exchanged between users via an export/import operation in the EEFF/FRP client. There is no central management or control over User Local Keys in McAfee ePO. The only link to ePO is a recovery key that will allow users to recover their User Local Keys in the case they forget the password for the local keys. User Local Key is a policy controlled feature and each operation is enabled/disabled in the user’s policy. For example, the ability to share keys via export/import or even to generate User Local Keys in the first place.


The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.