There are three categories of encryption keys in FRP. All keys are 256 bits long and use the
Advanced Encryption Standard (AES) algorithm. All keys can be referenced in an encryption policy to be used to encrypt objects:
Centrally Managed Encryption Keys
- These keys are generated and managed centrally in ePolicy Orchestrator (ePO).
- They are assigned to users and user groups, using the Grant Key policies.
- These keys are shared among users, as dictated by the Key Grant policies. Users can have access to several keys.
- The keys are transferred securely to the FRP client when requested by the users. Only users that are allowed access with a Grant Key policy can get the corresponding keys.
User Personal Keys
- These keys are generated and managed centrally in ePO.
- They are generated at the time a user requests a key from ePO.
- The User Personal Key is unique to each user. There is one User Personal Key created for each user that requests it. Thus, data encrypted with the User Personal Key can't be read by others, or shared with others.
- The key is unique to one user, and assigned only to that user.
- The Key Administrator can locate a User Personal Key in ePO, and if needed, change its attribute to be a generally available key. The Key Administrator can then assign other users to that specific User Personal Key. Which is a typical use case when a User Personal Key is used as an FRP Recovery Key.
- By granting an Auditor, or Forensics Agent access to a user’s User Personal Key, it is possible to read data off that user’s removable devices. Do not confuse User Personal Keys with User Local Keys. It is assumed the Removable Media Protection policy states it is the Recovery key.
User Local Keys
- User Local Keys are keys that the users create locally on their own.
- The keys are created to share data encrypted with a User Local Key. The key has to be manually exchanged between users.
- To manually exchange between users, the user must perform an export, and import operation on the FRP client.
- There is no central management or control over User Local Keys in McAfee ePO. The only link to ePO is a recovery key that allows users to recover their User Local Keys if they forget their password and need to obtain the local keys. User Local Key is a policy-controlled feature and each operation is enabled or disabled in the user’s policy. For example, the ability to share keys via export, or import or even to generate User Local Keys in the first place.