Machine Key Management

The purpose of encrypting the client's data is to control access to the data by controlling access to the encryption keys. It is important that keys are not accessible to users.

The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as Machine Keys. Each system has its own unique Machine Key. The Machine Key is stored in the McAfee ePO database to be used for client recovery when required.

Note: For more information about reusing Machine Keys, refer to the KnowledgeBase article https://kc.mcafee.com/corporate/index?page=content&id=KB71839.

Machine Key re-use

The Machine Key re-use option is used to activate the system with the existing key on the McAfee ePO server. This option is highly useful when a boot disk gets corrupted and the user cannot access the system. Other disks on the corrupted system can be recovered by activating it with the same key from McAfee ePO.

Note: The Machine Key re-use feature is not applicable for self-encrypting (Opal) drive systems.

What happens to Machine Keys when a Drive Encryption active system is re-imaged?

All existing system data is lost, therefore the Machine Key is lost when a Drive Encryption active system is re-imaged.

What happens to the Machine Key when you delete a Drive Encryption active system from McAfee ePO?

The Machine Key remains in the McAfee ePO database; however, the key association with the client system is lost when the client system is deleted from McAfee ePO. When the client system reports back to McAfee ePO during the next ASCI, it appears as a new node. A new node does not have any users assigned to the client system. The administrator must therefore assign users to allow logon, or enable the Add local domain user option in the Product Setting Policy. The administrator must also configure the required policies in McAfee ePO.

The next data channel communication after adding the users and configuring the policies makes sure that:

  • The Machine Key is re-associated with the client system and the recovery key is available.

    When the associated Machine Key is not present with the new node, McAfee ePO sends a Machine Key request. If the user is logged on to the client system, an agent-to-server communication between the client and the McAfee ePO server ensures the Machine Key is updated in McAfee ePO and the users are updated on the client. Thereafter, the Machine Key is available and admin recovery and policy enforcement work.

  • The users are assigned to the client system. Therefore, these users can straightaway log on to the client system.
Note: Although Drive Encryption 7.2 increases the number of users that pre-boot can support to 1000s rather than 100s, we recommend minimizing the number of users assigned per node. Firstly, best security practice aims to limit the number of users that can access a system to the smallest group of users. Secondly, assigning large numbers of users to each node might affect the overall scalability of the entire system and reduce the maximum number of nodes that can be supported by Drive Encryption.

What happens to Machine Keys when transferring a client system from one McAfee ePO server to another?

The Machine Key remains in the McAfee ePO database, however, the key association with the client system is lost when the client system is transferred from another McAfee ePO server.

When a transferred client system reports back to McAfee ePO during the next ASCI, it appears as a new node and therefore has no users assigned to it. The administrator must assign users to allow logon at PBA, assign users to the McAfee ePO branch where the systems are added (by default LOST&FOUND), and enable the Add local domain user option in the Product Setting Policy. The administrator must also configure the required policies in McAfee ePO.

Note: To transfer all systems between McAfee ePO servers, the best process is to follow the McAfee ePO Disaster Recovery process. For more information, refer to the KnowledgeBase article https://kc.mcafee.com/corporate/index?page=content&id=KB66616.

The next data channel communication after adding the users and configuring the policies ensures:

  • The Machine Key is re-associated with the client system and the recovery key is available.

    When the associated Machine Key is not present with the new node, McAfee ePO sends a Machine Key request. If the user is logged on to the client system, an agent to server communication between the client and the McAfee ePO server ensures the Machine Key is updated in McAfee ePO and the users are updated on the client. Thereafter, the Machine Key will be available and admin recovery and policy enforcement will work.

  • The users are assigned to the client system and can log on to the client system.

What happens to Machine Keys when moving systems from one branch to another in McAfee ePO?

The LeafNode is not deleted from McAfee ePO database when a system is moved from one branch to another in McAfee ePO, hence the Machine Key is available for the particular client system.

How to destroy the recovery information for a Drive Encryption installed system

When you want to secure-erase the drives in your Drive Encryption installed system, remove all users from the system (including those inherited from parent branches in the system tree). This makes the disks inaccessible through normal authentication as there are no longer any users assigned to the system. You must then destroy the recovery information for the system using the option Menu | Systems | System Tree | Systems tab | Actions | Drive Encryption | Destroy All Recovery Information in the McAfee ePO console. You must also disable the Add local domain user option in the Product Setting Policy. This means that the system can never be recovered.