5 Replies Latest reply on Jun 17, 2013 4:39 PM by krue

    Recovery Key for Domain Admins

    ascoyne

      I am struggling with setting-up EEFF with a Recovery Key to allow only the Domain Admin recover passwords Removable Media.

       

      What I want to happen is allow any domian admin to be able to logon to any device with EEFF installed and allow them to recover a password of any USB device that is encrypted with EERM.

       

      I already have a EERM Default policy that has Use Recovery Key setup to User Personal Key.

       

      I have created a Regular key and then created a new policy called Domain Admins and assigned the regular key to it.

       

      I have then setup a Policy Assignement Rule which has the Domain Admins policy assigned to it and uses the criteria of any member of the Domain Admins AD security group.

       

      Message was edited by: ascoyne on 26/06/12 08:47:07 CDT
        • 1. Re: Recovery Key for Domain Admins
          davidbunt

          I am attempting to do the same thing. It seems that you can't setup a recovery key if the user that is encrypting the device does not have access to that key. I was hoping to setup a recoery key for admins, as you suggested, so if the user forgets the password or the recovery password or questions, then a admin can recover it with ease.

           

          Unfortunately this does not seem to be the case. If you set the Recovery key as a key that the user who encrypts the data does not have access to, they will get a "Initialization Failed" message when trying to encrypt it. However, I wanted to avoid giving each user a personal key, just to restrict the size of the database and for ease of management.

           

          So, is there any way that we can set a recovery key to something that has not been granted to the user? That would make management and support much simpler.

          • 2. Re: Recovery Key for Domain Admins
            ascoyne

            Do any of the McAfee mods know if this is possible?

            • 3. Re: Recovery Key for Domain Admins
              davidbunt

              I have actually recieved confirmation that the recovery key needs to be assigned to the person initializing the device, it cannot simply just be used for recovery.

               

              However, if you have the Domain Admin Policy setup, the only way I know of is to change the User Personal Key to a Regular key, and assign the regular key to the domain admins policy. That will allow the domain admins to recover the usb stick, and after the recovery is done, they can then assign the regular key back to being a User Personal Key. Not the best option for support, but best for users, as they can just use their key to recover the device without issue if it was themselves who encrypted it.

               

              Also not aware of any utilities that can be used to identify what user personal key was used to encrypt the USB.....so if you have quite a number of users and not sure who encrypted the USB, then it might make it hard to determine which personal key needs to be used for the recovery.

               

              Far from a complete package at this time, but hopefully the next version considers some of these issues. At this time, I can only imagine we have to work within the realms of the capabilities of the software.

              • 4. Re: Recovery Key for Domain Admins
                ascoyne

                Davidbunt is correct.  The only way to allow admins to recover media that was encrypted with EERM is to change the key of the person that encrypted the device to a regular key, grant that key to your domain admins and then allow your domain admins to recover the device.  This is abridged version of how to complete the task, but is does work and works well.

                • 5. Re: Recovery Key for Domain Admins
                  krue

                  I think I understand what you guys are doing, but I'm kinda confused where you give the Domain Admins access to do this?  Does anybody have the steps used to do this?  Thanks so much!