1 2 Previous Next 11 Replies Latest reply on Jan 2, 2014 3:09 AM by dado407

    EEPC 6.1.3 encryption key recovery

    dado407

      Hello,

       

      I need to recover deleted EEPC encryption key for computer which has been deleted from current ePO DB, ePO 4.6.6.

      I tried to recover it from old database backup, performed on ePO 4.6.3 version.

       

      ePO DB was restored on the same ePO server in two options.

      1.restored database with different name;

      2.restored database with the same name as production DB name (production DB backup and deattached before).

       

      In each case after restore, ePO configuration was changed to connect to the proper database name.

      In both cases after ePO server services restarted, ePO console do not start, connection error HTTP 500.

       

      Current system configuration:

      -ePO 4.6.6.176 server;

      -console and server installed on the same machine;

      -Windows 2008R2 Standard with SQL2008SP2 Standard 64bit Ed.

       

      Is any other way to recover EEPC encryption keys from old DB?

       

      Best regards,

      Darek.

        • 1. Re: EEPC 6.1.3 encryption key recovery

          I think your question is more how to restore an EPO DB at the moment? I would suggest starting a thread in the EPO group?

           

          You should still be able to get to the key though in the current production DB - keys are not deleted when the machine is deleted. You can usually use the API and keycheckvalue to export them.

           

          for example - http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/2 3000/PD23437/en_US/EEPC_6_1_2_scripting_guide.pdf?searchid=1383135817764

           

          Message was edited by: SafeBoot on 10/30/13 8:25:40 AM EDT
          • 2. Re: EEPC 6.1.3 encryption key recovery
            dado407

            Thanks SaveBoot for great advice, I did not used it before.

             

            I follow the commad scripting but without success, received error -12. Suppose no keys available for this particular computer.

            The reason could be as our ePO server synchronize client status with Active Directory, any new computer in AD is in automate way created on ePO.

            When I deleted computer from ePO DB, after next sync with AD, it was recreated again as 'unmanaged' and empty all records for this name.

             

            I think only way to recover could be old DB restore.

            Look forward for your advice.

             

            Regards,
            Darek.

            • 3. Re: EEPC 6.1.3 encryption key recovery
              Reiner

              As Safeboot said - even if the object (node) is deleted from ePO the key itself  never gets deleted (unless you chose so - 'Destroy All Recovery Information') so via scripting you should be able to retrieve the file. Having said this - restoring the old DB is another option.

              • 4. Re: EEPC 6.1.3 encryption key recovery
                dado407

                Thanks Reiner for reply.

                I understand what Saveboot wrote about key, i've checked it on other machine, deleted from ePO DB and it works as he described.

                I use ePO.API.Explore tool and in this case I received same error:

                <result><MfeEpeExportMachineKeys><errorCode>-12</errorCode></MfeEpeExportMachineKeys></result>

                Simmilar error I received if try to export key for computer without encryption.

                Any ideas how to read this key different way?

                 

                Regards,

                Darek.

                • 5. Re: EEPC 6.1.3 encryption key recovery

                  It would seem the key is not in the backup DB either - are you SURE you are looking for the right machine?

                   

                  Since keys are never deleted unless you deliberately destroy them, there's no reason it wouldn't exist in the live db and backup.

                   

                  Can you explain how the key got destroyed? Perhaps you're simply looking for the wrong machine name, or the machine was in fact registered to some other EPO server?

                   

                  You are looking for the keycheck value as reported by the machine itself yes?

                  • 6. Re: EEPC 6.1.3 encryption key recovery
                    dado407

                    Yes, I’m sure I’m looking for right computer name.

                    Let me explain more this situation.

                    Encrypted disk in laptop failed. It was sent to external company to repair. After few months it back working but disk cannot be access.

                    In the meantime computer was deleted from ePO, but without ‘destroy all data’ option, just machine data. Encryption keys should stay in DB.

                    ePO server is synchronized with AD, next sync task recreate computer account with ‘unmanaged’ status.

                     

                    My initial question was to possible look into DB backup which was done before machine account clean-up and recover encryption key for this machine.

                     

                    Regards,

                    Darek

                    • 7. Re: EEPC 6.1.3 encryption key recovery

                      Well the keys are NEVER deleted automatically in 6.1.3 , so either you're using the wrong information to find the key, someone destroyed the recovery information, or the key never existed. Use the keycheck value, not the computer name - that will get you the exact key.

                       

                      Of course, if this was a 6.0 machine it's quite possible the key was deleted - that was the design behaviour of that version.

                       

                      re using the backup, it's not something I am aware of but may be possible - you'd need to ask your Platinum support person for help I guess. Usually people just mount their backup and read it out. 

                      • 8. Re: EEPC 6.1.3 encryption key recovery
                        dado407

                        This machine was encrypted with version 6.1.2, so do not if it stick to what you mentioned about version 6.0.

                        As you suggest, i can use EETEch tool to read keycheck and then look into DB to recover keys. Am I right?

                         

                        Regards,
                        Darek.

                        • 9. Re: EEPC 6.1.3 encryption key recovery

                          the keycheck value is what you need to be using to search for the key - the machine could have been renamed at any point.

                          1 2 Previous Next