Using a PKI token in Drive Encryption

A PKI token is a smartcard supported in Drive Encryption that finds the necessary certificate information for the user in a PKI store (such as Active Directory) and used to initialize the Drive Encryption token data. You must initialize these tokens before they can be used to authenticate a user.

The McAfee ePO extensions initializes the token using the relevant certificate information present in Active Directory. This information is obtained through the Lightweight Directory Access Protocol (LDAP) synchronization task that is created when Drive Encryption is first installed on McAfee ePO, and before users are assigned to systems.

The token data for the user is contained in the PBFS on the client. It can be successfully unlocked when the user presents the appropriate smartcard, which matches the certificate information found in Active Directory, and the correct PIN.