Drive Encryption system recovery

The purpose of encrypting the client's data is to control access to the data by controlling access to the encryption keys. It is important that keys are not accessible to users.

The key that encrypts the hard disk sectors needs to be protected. These keys are referred to as Machine Keys. Each system has its own unique Machine Key. The Machine Key is stored in the McAfee ePO database to be used for client recovery, when required. There are four different system recovery options available in Drive Encryption that can be reached through: MenuSystemsSystem TreeSystemActionsDrive Encryption.

Drive Encryption system recovery
Option Definition
Decrypt offline recovery file The encrypted machine key is stored in a recovery information file (xml) on the client system. To enable the recovery procedures on the client systems, the user can use McAfee ePO to decrypt the offline recovery file that is retrieved from the client system.
Destroy all recovery information When you want to secure-erase the drives in your Drive Encryption installed system, remove all users from the system (including those inherited from parent branches in the System Tree). This makes the disks inaccessible through normal authentication as there are no longer any users assigned to the system. You need to then destroy the recovery information for the system using the option MenuSystemsSystem TreeSystemsActionsDrive EncryptionDestroy All Recovery Information in the McAfee ePO console. This means that the system can never be recovered.
Key Re-use This option is used to activate the system with the existing key present in the McAfee ePO server. This option is highly useful when a boot disk gets corrupted and the user cannot access the system. Other disks on the system can be recovered by activating it with the same key from McAfee ePO.
Export recovery information This option is used to export the recovery information file (.xml) for the desired client system from McAfee ePO. Every client system that is encrypted using Drive Encryption has a recovery information file in McAfee ePO. Any user trying to enable the recovery procedures on the client systems should get the file from the McAfee ePO administrator for Drive Encryption. For more information, see the DETech User Guide.
Note: The recovery information file has a general format of client system name.xml.
Export recovery information based on Disk Keycheck This option is used to export the recovery information file (.xml) for a disk of a client system from McAfee ePO. Every disk of a client system has a disk keycheck value. For instance, if a client system has a disk called 'Disk1', you can recover that client system (when on unrecoverable state) using the keycheck value of 'Disk1'. However, if a new disk 'Disk2' is installed and activated in that same client system, you must use the keycheck value of 'Disk2' and the keycheck value of 'Disk1' loses priority.

To perform this task, you need to access the client system using DETech and obtain the disk keycheck value using the Disk Information option from the DETech user interface.

  • In McAfee ePO, click ActionsDrive EncryptionExport recovery information based on Disk Keycheck and enter the obtained disk keycheck value in the Key Check field.
  • The recovery information file (.xml) appears, export it to the inserted removable media.
  • Use this file to authenticate to the client system using DETech. For more information, see DETech User Guide.

What happens to the Machine Key when you delete a Drive Encryption active system from McAfee ePO?

The Machine Key remains in the McAfee ePO database; however, the key association with the client system is lost when the client system is deleted. When the client system reports back to McAfee ePO during the next ASCI, it appears as a new node. A new node does not have any users assigned to the client system. The administrator must assign users to allow logon, assign administrative users to the McAfee ePO branch where the systems are added (by default. Lost&Found), or enable the Add local domain user option in the Product Setting Policy.The administrator must also configure the required policies in McAfee ePO.

After adding the users and configuring the policies, the next agent-to-server communication makes sure that:

  • The Machine Key is re-associated with the client system and the recovery key is available.

    When the associated Machine Key is not present with the new node, McAfee ePO sends a Machine Key request. If the user is logged on to the client system, an agent-server communication between the client and the McAfee ePO server makes sure that the Machine Key is updated in McAfee ePO and the users are updated on the client. After that, the Machine Key becomes available and admin recovery and policy enforcement work.

  • The users are assigned to the client system and can log on to the client system.

You cannot log on to the client system before a proper agent-server communication occurs. In this situation, use the DETech tool to obtain the Key Check value from the client and obtain the recovery key for this machine from the McAfee ePO console to perform an Emergency Boot.