Before proceeding to the actual steps in enabling this solution, it might be beneficial to determine the architectural components/requirements of the solution. For instance, some of the factors that you may want to consider are:
Note: “Enforcing encryption” in this context refers to the process of querying folders on the network shares on a periodic basis to determine whether there are any plaintext files, and if any, encrypting them.
Even when files are dropped from the Passive Clients (assigned only the Encryption Keys) onto the secure folder on the network share, they are encrypted automatically. The only difference between the Active Clients and the Passive Clients is that Passive Clients don’t query the network share folder periodically.
More often than not, you may already have large amounts of existing data on the network share folders. In this case, it is recommended that you have an appropriate number of Dedicated clients(s) (shown pictorially below) with a folder encryption policy configured with the location to be protected and key to use.
Initiating encryption only from these dedicated client machines limits network bandwidth by minimising the need to enumerate, fetch, encrypt and upload files. Depending on the size of the shared folder, this initial encryption task may be performed overnight or over a weekend.
It is recommended that these Dedicated client(s) be located on a fast network link, ideally on the same subnet, in order to reduce network latency and hence increase encryption times.
Tuning Network Parameters:
The options to tune Network Parameters are available as part of Network Policy.
For information on Network Policy, please refer to the Product Guide, Page 22: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25074/en_US/...
For information on tuning Network Parameters, please refer to the Best Practices Guide, Page 18 & 19: https://kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25077/en_US/...
FRP Dedicated/Active clients with a configured folder encryption policy and key to use will query the network share folder on a periodic basis to check if there are any files in plaintext in that folder, and if any, will encrypt the files.
This check happens at every “local policy enforcement” and during every ASCI (Agent to Server Communication.
The Clients which query the shared folder on a periodic basis could be:
For optimizations in terms of performance and network bandwidth utilization, it is recommended that (1) or (2) be implemented.
Note: If a FRP client (having the key with which the folder on the share is encrypted) drops a file/folder onto the shared folder, a background thread is kicked off and the encryption process is immediate. So it is not necessary for all clients to have a folder encryption policy.
For “End user clients”, Folder encryption policy serves two purposes:
This example focuses on a use case where there is a folder on a network share containing sensitive content with a requirement that users only from say the HR group being able to access the content.
(a) Key assignment (Grant Key Policy)
(b) Folder encryption Policy
Any subfolders within the “Secure folder_HR” will be automatically encrypted with the HR Encryption Key unless there is an explicit policy stating otherwise.
You can view the Encryption Key usage in the above policies from the FRP Keys page:
The screenshots below illustrate “Grant Keys” policy and “Folder Encryption” policy assigned to an user via PAR (Policy Assignment Rules).
You can check whether the assigned policies (Grant Keys, Folder Encryption etc.) are available on the client via the McAfee Tray Icon -> Manage Features -> File and Removable Media Protection.
A padlock icon is displayed on the encrypted folder when viewed through a FRP client. Padlock icon is displayed only when “Enable padlock icon visibility” option is enabled via the General Policy.
Alternatively, you can right click on the folder and select Properties. The “Encryption” Tab gives more information on the encryption status.
If the encryption key is available, users will be able to access encrypted files transparently without any intervention and change in working procedures. If the encryption key is unavailable, the user will not be able to view the files.