EEPC v7.0 Patch 1 FAQ - Fast Initial Encryption

Version 1

    General

     

     

    Q: What is Fast Initial Encryption?

    Fast initial encryption is the ability to get the McAfee Full Disk Encryption product installed on a system and encrypted in a matter of minutes (compared to several hours that are required in normal circumstances)

     

     

    Q: How does it work?

    This is achieved by removing the power-failure protection (which provides protection against data loss in a power-failure or hard-shutdown scenario), allowing the initial encryption to proceed as fast as the hardware allows, and by only encrypting the sectors that are currently in use.

     

     

    Q: How is that different from the way it was done in v7.0 and below?

    Traditionally the product would assume that it was being asked to encrypt a system that is currently in use by an end user in the field. Priority is put on end user experience, to minimize impact on the end user’s daily routine. This has the benefit of allowing the user to continue to be productive while encryption is occurring and providing protection against power-failure or hard-shutdown data loss.  However, the downside is that the encryption process takes longer to complete.

     

     

    To ensure that a system that is in use at the endpoint is fully protected, it would encrypt every sector of the volumes/partitions that were specified in the encryption policy, even if the sector is marked as unused by the file system. Even blank sectors containing no data are encrypted.

     

     

    Q: What do you mean when you say, “only encrypt used sectors”?

    Instead of encrypting all of the sectors of the volumes/partitions specified in the encryption policy, the products ask the Operating System which sectors are in use by the file system. The product then encrypts only those sectors that are flagged as being used within the volumes/partitions specified in the encryption policy. On a new installation this will generally be a small subset of the total size of the disk.

     

     

    Q: Wait, if I have only encrypted the sectors that are in use what happens when I write new data to the disk?

    It’s ok. The new data will be written encrypted, just like it does today. All new data written to the disk is encrypted.  Think of it that all used sectors are encrypted; as new sectors become used, they are encrypted too.

     

     

    Q: What use cases does it target?

    The use case for this functionality is for the initial encryption of a newly installed/imaged system. The system is sitting on a desk of an IT Technician and is not being used by an End User. You can refer to the “In-House Provisioning” or “Provisioning by a third party” use cases from the Offline Activation FAQ for more information.

     

    To refresh your memory on Offline Activation, you can refer to the Offline Activation FAQ at the following URL:

    https://community.mcafee.com/docs/DOC-4375

     

     

    Q: Is this functionality available on both Windows and OS X?

    No. It is only available on Windows in version 7.0 Patch 1. It is targeted for support in OS X in version 7.1.

     

     

    Using Fast Initial Encryption

     

     

    Q: Where is it available?

    This functionality is only available as a part of the offline activation process.

     

    To refresh your memory on Offline Activation, you can refer to the Offline Activation FAQ at the following URL:

    https://community.mcafee.com/docs/DOC-4375

     

     

    Q: Can I use this as part of the normal activation process?

    No.

     

     

    Q: Is this functionality enabled by default for offline activation?

    No. This functionality must be explicitly enabled.

     

     

    Q: How can I enable it as part of an offline activation package?

    Two options have been added to the Offline Activation Package. These are:

     

    --SkipUnused (Default value is disabled)

    --DisablePF (Default value is disabled)

     

     

    Q: Why do I need to type “YES” when using the Used Sectors Only functionality?

    It is just to ensure that you have read the disclaimer and understand the usage of this functionality (see Considerations for Used Sector Only Encryption, below).

     

     

    Q: What happens if I don’t type “YES” when asked?

    If you don’t type in YES, the offline activation package will not be built and the process will fail. You will need to rebuild the package again and correctly type YES or remove the Used Sectors Only option from the package.

     

     

    Q: Can I disable the power-failure protection but not enable the Used Sector Encryption functionality? Or put another way, can I use one of the features but not the other?

    Yes. It is possible to use only one setting or the other. Due to the potential security concerns (see Considerations for Used Sector Only Encryption, below) vwith the used sector encryption on recycled drives (dirty disks), it is possible to disable its usage.

     

     

    Q: Can I still perform a normal or offline activation with the power-failure protection enabled and encrypting all of the sectors, not just the ones in use?

    Yes. You must explicitly enable this new functionality for it to be used. If it is not enabled the normal process for activation and initial encryption as per previous versions will be used.

     

     

    Usage with the various Disk Types

     

     

    Q: Can I use Fast Initial Encryption with a normal Hard Disk Drive (HDD)?

    Yes and you should definitely read the “Consideration for Used Sector Only Encryption” section of this FAQ.

     

     

    Q: Can I use Fast Initial Encryption with a Solid State Disk (SSD)?

    Yes and you should definitely read the “Consideration for Used Sector Only Encryption” section of this FAQ.

     

     

    Q: Can I use Fast Initial Encryption with an Opal drive?

    No, and it doesn’t make sense to use this functionality with an Opal drive.  An Opal drive is technically encrypted all the time. The activation process simply enables the Locking mechanism for the drive. Currently an Opal drive will go from Inactive to Active and fully encrypted in a matter of minutes. It doesn’t require this functionality.

     

     

    Considerations for Used Sector Only Encryption

     

     

    Q: Are the following questions aimed at HDD or SSD?

    In theory these questions and answers apply to both. However there is a much bigger impact and implication to SSD’s due to the nature of how SSD’s operate. For more information on McAfee Full Disk Encryption and SSD’s please refer to the following KB Article (https://kc.mcafee.com/corporate/index?page=content&id=KB66256)

     

     

    Q: If I only encrypt the used sectors, does that mean that there are sectors on the disk that are not encrypted?

    Correct. The product will only encrypt the sectors that the Operating System states are in use. All other sectors (white space) are left in their unencrypted state until they are utilized, even if those sectors contain sensitive (but previously deleted) data. Any new sectors written during normal operation will be written in an encrypted state.

     

     

    Q: Is this a problem if it is a brand new disk?

    If this is a brand new disk, the disk has never been used before, and has not been used to store even a single bit of sensitive company data then it’s ok. The only files on the disk should be the ones in use by the Operating System and/or any first initial image that was installed on the disk. It should contain ZERO sensitive company data.

     

    An example of this is a system that has been freshly delivered from an OEM. If ever in doubt, do not assume that it is a new disk and contains zero sensitive company data.

     

     

    Q: Is this a problem if it is a disk where sensitive company data has existed before encryption?

    Yes, as sensitive data might exist on a disk sector that the Operating System reports as unused. There can be various questions raised when this functionality is used on a disk that has previously contained sensitive company data. Questions such as:

    • Could plain-text sensitive data remain in a sector that is not currently in use and is therefore not encrypted?  i.e. has a file been deleted (not shredded), leaving plain-text data recoverable from the unused sector(s).
    • Has the SSD overwritten the physical page where the unencrypted data was previously held? See the SSD KB for more information.
    • Etc.

     

     

    Q: What is McAfee’s recommendation for using this functionality on an HDD that is brand new?

    This functionality can be used before any sensitive company data is written to the disk.

     

     

    Q: What is McAfee’s recommendation for using this functionality on an SSD that is brand new?

    This functionality can be used before any sensitive company data is written to the disk.

     

     

    Q: What is McAfee’s recommendation for using this functionality on an HDD that has previously contained sensitive company data?

    McAfee recommends not using this functionality on HDDs that have ever contained sensitive company data.

     

     

    Q: What is McAfee’s recommendation for using this functionality on an SSD that has previously contained sensitive company data?

    McAfee recommends not using this functionality on SSD’s that have ever contained sensitive company data.

     

     

    Q: What should I do if I ever have any doubts or I’m unsure?

    Do not use this functionality and encrypt the entire volume/partition/disk if you are unsure about the contents of the disk before encryption.

     

     

    Q: What is McAfee’s recommendation if I am recycling an older drive that was fully encrypted with EEPC?

    This functionality can be used assuming all of the volumes were previously encrypted; or at least the volumes containing sensitive data. If that condition is not met, then the recommendation is not to use this functionality.

     

     

    Q: What is McAfee’s recommendation if I am recycling an older drive that was encrypted with a different encryption product?

    McAfee cannot make claims for third party products. As such, McAfee recommends not using this functionality.

     

     

    Performance Indications – Windows XP (32-bit) Image with a HDD

     

     

    The following performance data is for informational purposes and was measured by McAfee in Engineering Lab conditions. Customers may experience different results in the field with their hardware.

     

    Q: What are the specifications of the hardware used for this test?

    System: Dell Latitude E6410

    CPU: Core i7 CPU M640 @ 2.80 Ghz

    RAM: 4 GB

    Drive: 500GB 7200 RPM HDD

    File Format: NTFS

    Partition Type: MBR

    Total available capacity: 465.76 GB

    Used space after OS Install: 5.31 GB

     

     

    Q: What results did McAfee see during internal testing?

    The times indicated below are the times to complete the encryption of the disk detailed above.

     

    Normal encryption: 5.93 hours (21,379 seconds)

    Disable Power-Failure Only: 4.86 hours (17,529 seconds)

    Used Sectors Only: 5.36 minutes (322 seconds)

    Usage of both: 4.53 minutes (272 seconds)

     

     

    Performance Indications – Windows 7 (64-bit) Image with a HDD

     

     

    The following performance data is for informational purposes and was measured by McAfee in Engineering Lab conditions. Customers may experience different results in the field with their hardware.

     

     

    Q: What are the specifications of the hardware used for this test?

    System: Lenovo T520

    CPU: Core i5 CPU 2540M @ 2.5 Ghz

    RAM: 4 GB

    Drive: 500GB 7200 RPM HDD

    File Format: NTFS

    Partition Type: MBR

    Total available capacity: 465.76 GB

    Used space after OS Install: 18.4 GB

     

     

    Q: What results did McAfee see during internal testing?

    The times indicated below are the times to complete the encryption of the disk detailed above.

     

    Normal encryption: 6.3 Hours (22,798 seconds)

    Disable Power-Failure Only: 5.1 Hours (18,367 seconds)

    Used Sectors Only: 22.3 minutes (1,340 seconds)

    Usage of both: 17.75 minutes (1,065 seconds)

     

     

    Performance Indications – Windows 8 Pro UEFI (64-bit) Image with a HDD

     

     

    The following performance data is for informational purposes and was measured by McAfee in Engineering Lab conditions. Customers may experience different results in the field with their hardware.

     

     

    Q: What are the specifications of the hardware used for this test?

    System: Lenovo T520

    CPU: Core i5 CPU 2540M @ 2.5 Ghz

    RAM: 4 GB

    Drive: 500GB 7200 RPM HDD

    File Format: NTFS

    Partition Type: GPT

    Total available capacity: 465.76 GB

    Used space after OS Install: 19.1 GB

     

     

    Q: What results did McAfee see during internal testing?

    The times indicated below are the times to complete the encryption of the disk detailed above.

     

    Normal encryption: 5.05 hours (18,210 seconds)

    Disable Power-Failure Only: 4.29 hours (15,461 seconds)

    Used Sectors Only: 19.55 minutes (1,173 seconds)

    Usage of both: 15.63 minutes (938 seconds)