Install FRP in FIPS mode
The FRP client uses the
McAfee Core Cryptographic Module (
MCCM) User and
Kernel FIPS 140-2 cryptographic modules. These cryptographic modules are being validated for
Federal Information Processing Standard (
FIPS) 140-2 Level 1, and FRP now provides an option to install the product in FIPS mode. MCCM also provides performance benefits and uses
Intel® Advanced Encryption Standard Instructions (
AES NI). The result is other performance improvements on systems with
AES NI support.
This article gets updated when FIPS compliance certification is achieved.
This article covers the requirements for existing FRP installations that were not installed with the FIPS mode enabled to now operate in FIPS mode. The instructions cover both FRP and ePolicy Orchestrator (ePO).
IMPORTANT:
- It is not possible to have an inline upgrade from a non-FIPS compliant FRP environment to a FIPS-compliant environment. For additional information about running ePO in FIPS mode, see the relevant ePO product guide for your specific release.
- After following these instructions, all Removable Media and User Local Key Stores created in the non-FIPS version of FRP will no longer be usable. The following must be considered when undertaking this conversion:
- Make sure that you reinitialize all removable USB devices.
IMPORTANT: This action requires backing up the data on the device, formatting the device, initializing with FRP 4.3, and then copying the data back to the device.
- Decrypt all files encrypted with User local keys, delete the keys, and then delete the key cache file manually. This file is in the %APPDATA%\Roaming\McAfee\Endpoint Encryption for Files and Folders\Key Stores folder.
- All CDs, DVDs, or ISOs that were created with previous non-FIPS versions of FRP can't be used onsite. But can still be used offsite. These devices can't be reinitialized.
- All old self-extractors can still function both onsite and offsite; but, they operate in non-FIPS mode.
Installation procedure
- Decrypt all files that were encrypted with the previously generated keys:
- Log on to the ePO console.
- Access the FRP policy.
- Change encryption key to Decrypt in the policy where the encryption key is being used.
For example, Folder Encryption, File Encryption, Removable Media.
- Save the policy and apply the changes to the client.
- Remove all FRP keys from the client systems by removing them from the Grant Keys policy.
- Do the following, depending on your ePO server installation:
- If your ePO server is not installed in FIPS mode:
- Delete all keys from the ePO server.
IMPORTANT: After you delete all FRP Keys from the ePO server, the files left encrypted are no longer accessible.
- Remove FRP from all clients. For details about how to uninstall client packages, see the "Uninstalling FRP" section in the relevant FRP product guide. See the Related Information section of this article for details.
- Reinstall ePO in FIPS mode.
- Check in the FRP package.
- Check in the FRP extension.
- Deploy FRP in one of the following ways:
- Use the FRP deployment task. Make sure you add the keyword FIPS on the task command line in ePO.
- Use third-party deployment software. Make sure you pass the parameter FIPS_MODE=1 when you install the FRP client package, as follows:
- 32-bit systems:
msiexec.exe/q/i eeff32.msi FIPS_MODE=1
- 64-bit systems:
msiexec.exe/q/i eeff64.msi FIPS_MODE=1
- If your ePO server is installed in FIPS mode:
- Remove FRP from all clients. For details about how to uninstall client packages, see the "Uninstalling FRP" section in the relevant FRP product guide. See the Related Information section of this article for details.
- Check in the FRP package.
- Check in the FRP extension.
- Reinstall the FRP client in FIPS mode.
- Deploy FRP in one of the following ways:
- Use the FRP deployment task. Make sure you add the keyword FIPS on the task command line in ePO.
- Use command-line option. Make sure you pass the parameter FIPS_MODE=1 when you install the FRP client package, as follows:
- 32-bit systems:
msiexec.exe/q/i eeff32.msi FIPS_MODE=1
- 64-bit systems:
msiexec.exe/q/i eeff64.msi FIPS_MODE=1
