Hi all, I was directed here from the EPO forum. I am working on migrating our EPO environment to FIPS compliance, and one of the aspects of this will be the drive encryption. I have talked to the EPO team about how to migrate the systems, but I had one question that they said would be better directed here. Here is the original thread: https://community.mcafee.com/t5/ePolicy-Orchestrator/Some-questions-about-migrating-to-new-hardware-...
My question in there was:
"We do have DE encrypted products, and it is to my understanding that in order for that to be FIPS compliant, we must decrypt/uninstall McAfee DE and then re-install using appropriate CMD line arguments and re-encrypt the drive (per https://docs.mcafee.com/bundle/drive-encryption-7.2.5-installation-guide-epolicy-orchestrator/page/G...). Will this process not generate new encryption keys anyway, or am I misunderstanding?'
This was in the context of using the system transfer option in EPO to transfer systems to the new FIPS compliant EPO server, as opposed to just exporting the agent on the new server and installing it on our hosts. I am wondering if, since our DE clients are not currently FIPS compliant, if the system transfer would really matter much as far as "keeping the encryption keys" that cdinet was talking about if I'm going to have to just re-encrypt them for FIPS compliance.
Please let me know if you need some clarification on what I'm asking. Thank you.
Anyone?
Hi @markgarza ,
Thank you for writing in here.
Since you are migrating to another FIPS compliance EPO the best advise is ,
1) When the machines are still reporting to old EPO, kindly send assign a decrypt policy to your clients.
2) And once decrypted kindly assign a uninstall task from EPO for these machines
3) Then from the new FIPS ePO push the MDE clients with FIPS mode and activate them as per the article,
4) Kindly make sure you are using MDE 7.2.9.17 as it has critical fixes.
Thank you.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA