Introduction

 

With Endpoint Encryption for Files and Folders 4.0, McAfee introduced the User Personal Key feature. If enabled,

this feature will automatically create a unique key for each user in your environment. This unique key is created in ePO,

but only after the EEFF Policy has been enforced on the user's system. This ensures that only live users get keys,

and it also ensures scalability by not forcing ePO to create large numbers of keys concurrently.

 

In ePO, the individual user personal keys are not displayed when creating EEFF policies.

Instead of seeing a big list of personal keys, the administrator will instead see a single item named "User Personal Key."

If this is used in a policy, it means that encryption will beperformed with the user's personal key. Abstracting the keys

in this way allows the administrator to create a single policy, instead of having to create one policy for each user.

 

Providing unique keys for each user is useful for acouple of reasons. First, these keys can be used as recovery keys

for encrypted removable media. This ensures that if a USB stick is lost or stolen, it can only be recovered by the owner

of the device because that is the only person with access to their user personal key (other than the administrator, of course).

Second, it is an easy access control mechanism for a user's private data. In this document we will show how to encrypt

a user's My Documents folder using their user personal key, thus rendering the data unreadable to anyone other than the user.

 

 

Step by Step Guide for configuration:

 

Enable User Personal Key feature

 

   1.  ePO Menu > Data Protection > EEFF Keys

   2.  Click Edit


user_personal_key.png

 

   3.  Click Enable User Personal Keys

   4.  Click Save

 

 

Assign User Personal Key to policy

 

   1.  Click ePO Menu > Policy > Policy Catalog

   2.  Choose Endpoint Encryption for Files and Folders 4.1.0 from the Product drop down list

   3.  Choose Grant Keys (UBP) from the Category drop down list

   4.  Create Duplicate from McAfee Default policy

   5.  Edit policy by clicking the name of new policy

   6.  You will see a new key in the Available Keys section. Add the User Personal Key to the Selected Keys section


user_personal_key_policy.png

Note!

 

The User Personal Key here acts as a placeholder. It represents the individual user personal key.

 

 

Why creating a new policy rather then using an existing one?

 

It simply saves time, otherwise you would need to add the User Personal Key to every existing policy. In addition to that Grant Key policies do support

multiple assignments, so you won't run into problems if you need to assign other keys as well.

 

 

Use User Personal Key to encrypt My Documents

 

   1.  Click ePO Menu > Policy > Policy Catalog

   2.  Choose Endpoint Encryption for Files and Folders 4.1.0 from the Product drop down list

   3.  Choose Folder Encryption (UBP) from the Category drop down list

 

   4.  This step is dependent on whether you already use EEFF with folder encryption or not. Choose to create a new policy or
        use an existing one, where you will add the neccessery entry in order to get the My Documents folder encrypted.

 

   5.  Add a new entry by clicking Add or by clicking the +

 

eeff_add_folder_policy.png

or

eeff_add_folder_policy2.png


    6. Choose [Documents] from the Path drop down list and User Personal Key as Key

 

eeff_add_folder_key_policy.png

Note!

 

[Documents] acts as a placeholder here. It represents the users My Documents folder, since the relative path can vary. Different to where you need to
to encrypt a users home share. You may consider here to use the actual drive letter where the share is mapped to, since it is usually fixed.

 

 

Make User Personal Keys available as regular key


   1.  Click ePO Menu > Data Protection > EEFF Keys

   2.  Choose User from the Preset drop down list

  

eeff_keys_personal.png

 

   3.  Click the user key you want to make available

   4.  Click Actions > Edit Key

   5.  Click Available as regular key

 

make_user_personal_key_available.png

 

   6.  Click OK

 

The user personal key is now available as regular key and can be assigned to any Grant Key policy

 

 

Note!

Policies can be assigned on System Tree level, by creating a UserPAR or System PAR. For more information on using Policy Assignment Rules for assignment please refer to following KB Articles:


KB 72719 - How  to create Endpoint Encryption for Files and Folders 4.x Policies
KB 72775 - Policy  assignment interpretations in Endpoint Encryption for Files and Folders 4.0

 

at http://kc.mcafee.com