- No category
advertisement
User Guide
McAfee Endpoint Encryption for Files and
Folders 4.2
For use with ePolicy Orchestrator 4.6 Software
COPYRIGHT
Copyright © 2013 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore,
Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total
Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com
for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Contents
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
EEFF and data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How EEFF works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Managing user local keys and media encryption 9
The EEFF console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage user local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create a user local key . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Delete a user local key . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rename a User Local key . . . . . . . . . . . . . . . . . . . . . . . . . . .
Export user local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Import user local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Recover user local keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Change user local key authentication method . . . . . . . . . . . . . . . . . . .
Manage Endpoint Encryption for Removable Media . . . . . . . . . . . . . . . . . . . .
Initialize removable media . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Recover removable media . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change the EERM authentication details . . . . . . . . . . . . . . . . . . . . .
Managing CD/DVD/ISO media . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Writing McAfee Encrypted CD/DVD/ISO . . . . . . . . . . . . . . . . . . . . . . 18
Working with McAfee Encryption for CD/DVD/ISO projects . . . . . . . . . . . . . . 18
Select files and folders to encrypt to a CD/DVD/ISO . . . . . . . . . . . . . . . . . 19
Create McAfee Encrypted CD/DVD . . . . . . . . . . . . . . . . . . . . . . .
Create McAfee Encrypted ISO image . . . . . . . . . . . . . . . . . . . . . . . 20
Managing encryption and decryption of files and folders 21
Encrypt a file or a folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Decrypt a file or a folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Search for encrypted files or folders . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create a self-extractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Read a self-extractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attach a self-extractor to an email . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Add files and folders to encrypt to a CD/DVD/ISO . . . . . . . . . . . . . . . . . . . . . 24
Attach an encrypted file to an email . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
3
Contents
4
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Preface
This guide provides the information you need to configure, use, and maintain your McAfee product.
Contents
About this guide
This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.
Audience
McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
• Administrators — People who implement and enforce the company's security program.
• Users — People who use the computer where the software is running and can access some or all of its features.
Conventions
This guide uses these typographical conventions and icons.
Title of a book, chapter, or topic; a new term; emphasis.
Book title, term,
emphasis
Bold
User input, code, message
Interface text
Hypertext blue
Text that is strongly emphasized.
Commands and other text that the user types; a code sample; a displayed message.
Words from the product interface like options, menus, buttons, and dialog boxes.
A link to a topic or to an external website.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.
Warning: Critical advice to prevent bodily harm when using a hardware product.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
5
Preface
Find product documentation
Find product documentation
McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com
.
2
Under Self Service, access the type of information you need:
To access...
User documentation
Do this...
1
Click Product Documentation.
2
Select a product, then select a version.
3
Select a product document.
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
6
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
1
Introduction
McAfee
®
Endpoint Encryption for Files and Folders (EEFF) uses powerful encryption technology to allow you to protect information from access by unauthorized users. Your data is stored, managed, archived, and distributed as any other file is, however, it can be viewed only by those who have been granted access.
Contents
EEFF and data protection
EEFF enables you to protect your data so that only certain users can access it. This data is stored, managed, archived, and distributed, and can be viewed only by authorized users.
This protection depends on Microsoft Windows user accounts and works in real ‑time to authenticate the user, to access the encryption keys, and to retrieve the correct policy in EEFF. A smart card implementation based on Windows logon provides for enhanced security.
How EEFF works
EEFF encrypts files and folders as per the policies assigned to users. These policies are enforced by the
McAfee ePO server.
EEFF acts as a persistent encryption engine. When a file is encrypted, it remains encrypted even when:
• The file is moved or copied to another location
• The file is moved out of an encrypted directory
Integrated with McAfee ® ePolicy Orchestrator ® (McAfee ePO ™ ), EEFF provides a single point of control over the data on all systems, and supports both user and system
‑based policies. EEFF depends on
Microsoft Windows credentials, so both registered domain users and local system users can be assigned encryption policies and associated keys. Assigning these policies to users encrypts the data on the client. User
‑based policy assignments can be assigned only to registered domain users.
When the EEFF client is installed on the managed system, the system synchronizes with the McAfee ePO server and fetches the encryptions keys and product policies. EEFF client acts like a filter between the application creating or editing the files and the storage media. When a file is saved, the EEFF filter executes the assigned encryption policies and encrypts the data, if applicable.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
7
1
Introduction
Features
When a user attempts to deviate from the assigned encryption policy by stopping the main EEFF process (MfeffCore.exe) on the client system, the process is automatically regenerated. The automatic restart cannot be disabled.
When a file that is encrypted with key A is moved to a folder where the files are encrypted with key B, the file that is encrypted with key A is instantly re ‑encrypted with key B. This process is known as
follow
‑
target
‑
encryption; it requires that the user or process transferring the file have access to both key A and key B.
Features
These are the key features of EEFF.
• Centralized management — Provides support for deploying and managing EEFF using McAfee ePO software.
• Windows authentication
‑based policy enforcement — Assigns encryption policies and keys to
Windows user accounts.
• User Personal Key — Allows users to have unique encryption keys that are generated from the
McAfee ePO server, which the administrator can assign to policies to enable encryption.
• Delegated administration through role ‑based key management — Enables the logical separation of key management between multiple administrators. This capability is critical for separation across business functions and subsidiaries. This functionality is available only to users of
EEFF 4.2 with McAfee ePO 4.6, Patch 6.
• Auditing of key management and policy assignments — The key management and policy assignment
‑related actions performed by McAfee ePO administrators are recorded in the audit log.
This is critical to ensure compliance and prevent abuse by privileged administrators.
• Protection of data on removable media — Provides the ability to encrypt removable media and access encrypted content even on systems where EEFF is not installed.
• Network encryption — Enables secure sharing and collaboration on network shares.
• User ‑initiated encryption of files and email attachments — Allows users to create and attach password
‑encrypted executable files that can be decrypted on systems where EEFF is not installed.
• Auditing and reporting for USB removable media and CD/DVD/ISO events — Captures all end user actions related to USB removable media and CD/DVD/ISO events, with an auditing capability that provides an effective feedback loop for use by administrators in making policy decisions.
• Configurable key cache expiry — Enables the administrator to configure how long a key is cached on the client before it is removed due to non ‑connectivity to the McAfee ePO server.
• Integration with the McAfee tray icon — Consolidates the tray icons into one common McAfee icon.
• Migration from EEFF v3.2.x to EEFF 4.2.0 — Enables customers to migrate keys from legacy versions of the product to McAfee ePO
‑managed versions, with or without level information, with minimal effort.
• Use of McAfee Common Cryptographic Module (MCCM) — The EEFF client makes use of the
McAfee Core Cryptographic Module (MCCM) User and Kernel FIPS 140 ‑2 cryptographic modules.
These cryptographic modules are being validated at FIPS 140 ‑2 Level 1, and EEFF now provides an option to install the product in FIPS mode. MCCM also provides performance benefits and, in particular, leverages Intel
®
Advanced Encryption Standard Instructions (AES NI), resulting in additional performance improvements on systems with AES NI support.
8
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
2
Managing user local keys and media encryption
The EEFF console enables you to manage your user local keys and the encryption of removable media.
Contents
Manage Endpoint Encryption for Removable Media
The EEFF console
You can launch the EEFF console by clicking the McAfee icon on your taskbar and selecting Manage
Features | Endpoint Encryption for Files and Folders.
From the left pane of the console, you can view a status report, create and manage User Local keys, and initialize, recover, and change the authentication method for removable media and CD/DVD/ISO media.
Status Report
Status Report is the default screen that appears when you launch the EEFF console, and it displays this information:
• Operating system running on the client system
• EEFF installation files
• Encryption keys available to the user or the system
• General policies enforced on the system or the user
• Removable media policy enforced on the system or the user
• CD/DVD policy enforced on the system or the user
• Folder policies enforced on the system or the user
• File extension policies enforced on the system or the user
• List of exempted devices
• List of blocked processes
• List of file extensions excluded from encryption
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
9
2
Managing user local keys and media encryption
Manage user local keys
• Key request exclusions
• Password policy rules enforced on the system or the user
In the right pane of the console, click Write to File to export the status report to an XML file.
Local keys
User Local keys can be created and managed from the EEFF console. Your administrator controls the availability of these options, according to your company's security policies.
See Managing User Local keys for details.
Removable Media
McAfee Endpoint Encryption for Removable Media (EERM) is a software solution that encrypts USB removable devices to protect data stored on the device. This feature allows the creation of media that can be securely authenticated and accessed by any system with a supported Windows operating system, without the need for the EEFF client to be present.
Your administrator controls the availability of this solution on the console, according to your company's security policies.
See Managing Endpoint Encryption for Removable Media for details.
CD/DVD/ISO Media
The Endpoint Encryption for CD/DVD/ISO feature allows securely encrypted data to be written to optical media or ISO images. This feature allows the creation of media that can be securely authenticated and accessed by any system with a supported Windows OS, without the need for the
EEFF client to be present.
Your administrator controls the availability of this solution on the console, according to your company's security policies.
See Managing CD/DVD/ISO Media for details.
Manage user local keys
User local keys are the keys you create on your client for specific files and folders. User local keys can be created and managed from the EEFF console. User local keys are meant for the individual users and the system where they are created. Your administrator controls your ability to create and manage user local keys, according to your company's security policies.
If you have a roaming profile, your user local keys travel with your profile.
10
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing user local keys and media encryption
Manage user local keys
2
Tasks
•
Create a user local key on page 11
You can create a user local key and save it on your hard disk or removable storage device.
•
Delete a user local key on page 12
You can delete encryption keys that are not used. A deleted encryption key cannot be recovered. Consequently, documents encrypted with a deleted key cannot be opened.
•
Rename a User Local key on page 12
You can rename a user local key.
•
Export user local keys on page 13
To share encrypted files with other users you must share the encryption keys they are encrypted with. When exported, the encryption key is packaged into a file with SKS as its extension. To export the file, the users must know the key store password. The SKS file can be sent as an e ‑mail attachment.
•
Import user local keys on page 13
To import an encryption key, you need to create a key store where you can save the imported key.
•
Recover user local keys on page 14
You can recover a user local key if the recovery key set in the user local key policy is available on the system.
•
Change user local key authentication method on page 14
You can change the protection mechanism for your key stores.
User local keys
User local keys enable you to encrypt or decrypt data using the context menu. The use of a user local key is limited to the user and client system where it is created.
Key storage
Encryption keys, including User Local keys, are stored in key stores. Each key store is protected with a password that you select (password token), or with your digital certificate (PKI token). You select the proper token when you create the key store. Your key store can be stored on your computer's hard disk, or on a removable storage media like a USB drive. It is possible to have one key store on the hard disk and another on removable storage, where each key store holds different keys.
Create a user local key
You can create a user local key and save it on your hard disk or removable storage device.
If you want to save the local key on a USB drive, make sure the drive is inserted before you start the wizard.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Create new key to open the Welcome to Create Local Key wizard, then click Next.
3
Select the location where you want to save the local key from the drop
‑down menu, then click Next.
The Data page appears.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
11
2
12
Managing user local keys and media encryption
Manage user local keys
4
Enter a name for the local key, then select the inactivity timeout for the key from the drop ‑down menu.
The inactivity timeout defines how long a key can remain unused in memory. When the timeout is reached, you need to authenticate to Endpoint Encryption again before you can access encrypted files or folders.
Make sure that you provide unique names for the encryption keys, ideally reflecting the purpose of the key.
5
Click Next.
The Tasks page summarizes the key details configured in the wizard.
6
Click Next.
You might be prompted to authenticate to Endpoint Encryption before completing the wizard to ensure access to the corporate recovery key that will be used when you create your key store.
7
Click Finish.
Delete a user local key
You can delete encryption keys that are not used. A deleted encryption key cannot be recovered.
Consequently, documents encrypted with a deleted key cannot be opened.
Before deleting the key, make sure that you search for files that are encrypted with the key. For more information, see the Search for encrypted files or folders section.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Delete key to open the Welcome to the Delete Key wizard, then click Next.
3
From the Key name drop ‑down list, select the required key, then click Next.
The Tasks page summarizes the key details configured in the wizard.
4
Click Next.
You might be prompted to authenticate to Endpoint Encryption before completing the wizard to ensure access to the key store.
5
Click Finish.
Rename a User Local key
You can rename a user local key.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Rename key to open the Welcome to the Rename Key Wizard , then click Next.
3
From the Key name drop ‑down list, select the required key, then click Next. The Data page appears.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing user local keys and media encryption
Manage user local keys
2
4
Type a new name for the key, then click Next.
The Tasks page summarizes the key details configured in the wizard.
5
Click Next.
You might be prompted to authenticate to Endpoint Encryption before completing the wizard to ensure access to the key store.
6
Click Finish.
Export user local keys
To share encrypted files with other users you must share the encryption keys they are encrypted with.
When exported, the encryption key is packaged into a file with SKS as its extension. To export the file, the users must know the key store password. The SKS file can be sent as an e
‑mail attachment.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Export keys to open the Welcome to the Export Key wizard, then click Next.
3
Select the key, then browse to and select the destination file name and path where the key is to be exported.
4
Provide the password to be used to protect the exported key, then click Next.
5
When prompted, enter valid authentication information for the key store.
6
Click Finish.
Import user local keys
To import an encryption key, you need to create a key store where you can save the imported key.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Import keys to open the Welcome to the Import Key wizard page, then click Next.
3
Browse to and select the exported keys (*.sks file), then click Next.
4
Select the volume and location where you want to insert the keys, then click Next.
5
When prompted for authentication for exported keys, enter a valid password, then click OK.
6
When prompted, enter valid authentication information for the key store, then click OK.
7
Click Finish.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
13
2
Managing user local keys and media encryption
Manage user local keys
Recover user local keys
You can recover a user local key if the recovery key set in the user local key policy is available on the system.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
On the left pane, click Recover keys to open the Welcome to the Recover Key wizard, then click Next.
3
From the drop ‑down menu, select the location where you saved the local key that needs to be recovered, then click Next.
4
Enter and confirm a new password for the key store, then click Next.
The Tasks page summarizes the key details configured in the wizard.
5
Click Next.
You might be prompted to authenticate to Endpoint Encryption before completing the wizard to ensure access to the key store.
6
Click Finish.
Change user local key authentication method
You can change the protection mechanism for your key stores.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, under the Local Keys section, click Change authentication to open the Change Token wizard, then click Next.
3
Select the location where you saved the local key, then click Next.
4
Select the token type you want to authenticate the device with. The authentication method selected determines the page that appears:
• If you select Password Protection, the Password page appears. Enter and confirm the new password, then click Next. The Tasks page appears summarizing the key details configured in the wizard.
• If you select Certificate Protection, the Certificate page appears. Select a certificate from the list of available certificates, then click Next.
The Tasks page summarizes the key details configured in the wizard.
5
Click Next.
You might be prompted to authenticate to Endpoint Encryption before completing the wizard to ensure access to the key store.
6
Click Finish.
14
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing user local keys and media encryption
Manage Endpoint Encryption for Removable Media
Manage Endpoint Encryption for Removable Media
McAfee Endpoint Encryption for Removable Media (EERM) is a software solution that encrypts removable devices to protect data stored in the device.
Any attached removable storage can be protected with EERM. The EERM solution provides the capability to read encrypted USB devices on any system with a supported Windows operating system, without the need to install the EEFF client or other specialized security software. In addition to enabling secure transfer of data outside the company to partners and vendors, this feature also enables users to carry data securely on USB drives and access it on other computers.
When the removable USB media device is inserted into a system where EEFF is not installed, you are prompted for either the encrypted password or certificate to access the secure container on the device. Successful authentication enables access to the data using the offsite Explorer.
Individual files up to 4 GB in size can be placed on encrypted removable media.
Tasks
•
Initialize removable media on page 15
When you insert a non
‑protected removable device on a client with EEFF installed and the policy for removable media is set to the Allow Encryption (with offsite access) or Enforce Encryption
(with offsite access) protection level, you are prompted to initialize the device. You can also initiate initialization of the removable media using McAfee Endpoint Encryption for Files and Folders client console.
•
Recover removable media on page 16
You can recover access to the information on removable media using a recovery key, recovery password, or recovery certificate.
•
Change the EERM authentication details on page 17
You can change the protection mechanism for EERM from password to certificate, or vice versa.
Initialize removable media
When you insert a non
‑protected removable device on a client with EEFF installed and the policy for removable media is set to the Allow Encryption (with offsite access) or Enforce Encryption (with offsite access) protection level, you are prompted to initialize the device. You can also initiate initialization of the removable media using McAfee Endpoint Encryption for Files and Folders client console.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Initialize device.
3
In the Initialize Removable Media dialog box, if the Protected area section is enabled, set the amount of space (in GB) on the device that you want to protect.
The ability to decide on the size of the protected area depends on the removable media encryption policy enforced on the system or user.
2
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
15
2
Managing user local keys and media encryption
Manage Endpoint Encryption for Removable Media
4
In the Authentication section, select the required authentication method.
• If you select Authentication password, enter a password that conforms to the password complexity rules in your organization. If the password provided does not meet the required complexity, a message displaying the password complexity is displayed.
• If you select Authentication certificate, select a digital certificate from the drop ‑down menu.
The available authentication methods depend on the removable media encryption policy enforced on the system or the user.
5
In the Recovery section, select the required recovery method.
The available recovery methods depend on the removable media encryption policy enforced on the system or the user.
6
Click Initialize.
If the entire device policy is set for removable media encryption, you are prompted if the existing data should be moved to the protected area. If you choose to move existing data to the protected area, the amount of available space on the system root drive is calculated. If there is enough space, the initialization process is initiated. If there is not enough space, a pop
‑up message appears indicating the free and required amounts of space on the system root drive. Remove files from the system root drive to free up space, then click Retry. The message continues to appear until enough space is found on the system root drive. We recommend that you do not unplug the device during initialization or cancel the initialization process. This might result in a device in an unknown state, meaning that it cannot be used on a machine with EEFF installed.
When the initialization is complete, an authentication dialog box prompts you to authenticate to the device. Provide the authentication information to use the device.
Recover removable media
You can recover access to the information on removable media using a recovery key, recovery password, or recovery certificate.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
On the left pane, click Recover media.
3
Select one of these required recovery methods:
• Recovery key — This method requires the recovery key used during initialization to be available on the system in order to configure the recovery of the device.
• Recovery password — This recovery method requires the recovery password given during initialization in order to configure the recovery of the device. Also, you can perform this recovery from a non
‑EEFF client.
• Recovery certificate — This option requires the digital certificate key used during initialization to be available on the system in order to configure the recovery of the device.
You can also perform this recovery from a non
‑EEFF client, where the same certificate should be either available or imported.
4
Click Recover.
16
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing user local keys and media encryption
Managing CD/DVD/ISO media
2
Change the EERM authentication details
You can change the protection mechanism for EERM from password to certificate, or vice versa.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane under Removable Media, click Change authentication.
3
Click Change, then select the token type with which you want to authenticate the device.
The available token types depend on the relevant policy configuration.
• If the device is password
‑protected, authenticate the device using the existing password. When the device is successfully authenticated, enter and confirm the new password, then click OK. A message indicates that the authentication method has been changed.
• If the device is protected by a certificate, the device is authenticated using the certificate installed on the client system. Select the required certificate from the list of available certificates, then click OK. A message indicates that the authentication method has been changed.
4
Click OK, then click Close.
Managing CD/DVD/ISO media
The McAfee Encryption for CD/DVD/ISO feature enables securely encrypted data to be written to optical media or ISO images.
Individual files up to 4 GB in size can be placed on an encrypted CD/DVD or ISO image.
Although EEFF allows the writing of encrypted files to optical media with the Enforce Encryption (onsite
access only) protection level, subsequent use of these optical media is then restricted to EEFF enabled systems. Using the McAfee Encryption for CD/DVD/ISO feature allows the creation of media that can be securely authenticated and accessed by any system with a supported Windows OS, without the need for the EEFF client to be present. This is allowed by both the Allow Encryption (with offsite access) and
Enforce Encryption (with offsite access) protection levels, with the Enforce Encryption (with offsite access) protection level preventing writing to the optical media by an alternative method.
This feature can also be used to create secure encrypted ISO images of data, for subsequent burning to optical media or secure offsite back up. Once an ISO is created, it can be securely distributed and burned using any system that supports normal optical media burning.
For situations where a repeatable encrypted backup of a defined set of data that might change between backups is needed (for instance, source code folders, transaction records and so on), a project can be defined identifying the files/folders to be backed up, which can be saved to disk as an .emo file. The .emo file can then be loaded and run later to create the image, whenever required.
This project file mechanism allows you to create a sophisticated mapping between the source data and the eventual target media layout. This is flexible enough to allow reorganizing of the target file/ folder layout, addition of new folders, renaming of target files/folders, and so on, so that the eventual encrypted media image can be structured as required.
When the encrypted CD/DVD is inserted into a system or the encrypted ISO is mounted on a system where EEFF is not installed, you are prompted for credentials to gain access to the CD/DVD/ISO media. Successful authentication enables access to the data using the offsite Explorer.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
17
2
18
Managing user local keys and media encryption
Managing CD/DVD/ISO media
Writing McAfee Encrypted CD/DVD/ISO
The process of writing an Encrypted CD/DVD/ISO is performed in a number of stages, based on the selected parameters.
Creating encrypted image
This stage creates a temporary encrypted image of the selected files and folders. This is done in the temporary directory of the system as defined by Windows. The availability of sufficient disc space is verified before image creation.
If files could not be added to the encrypted image, an informational dialog box appears after this stage, indicating how many files were added and skipped. These are the possible reasons for skipped files:
• Source files not available at time of image creation
• Source files not accessible due to wrong access rights
• Source files are EEFF encrypted, but key not available at time of creation
Writing out ISO image
This stage writes the temporary image to an ISO file at the selected location. If this location is a local disc, attempts are made to make sure that enough space is available. However, for mapped drive locations, this check is not performed and available space is assumed.
Burning disc <x> of <y>
This stage appears for each physical copy requested. The substages within this stage include:
1
Waiting for blank <media> or larger (<media> will be the Media Type specified earlier)
2
Burning encrypted image
3
Finalizing media
4
Verifying media (optional sub
‑stage depending on options selected)
At the end of the process (or after a cancellation from a user), an informational dialog box displays the status of the operation. At this point, all temporary files are deleted on the system and the user is returned to the main application.
Working with McAfee Encryption for CD/DVD/ISO projects
When working with McAfee Encryption for CD/DVD/ISO, it is possible to create, save, and open project files with the .emo extension. These files contain the metadata detailing files and folders to be included in the encrypted media image to be created.
Project rescan
When an .emo project file is opened (either from within the application or by double ‑clicking on the file itself to launch the application), a rescan operation is carried out.
If any files and folders specified in the project are not available at the defined source location, a dialog box prompts the user to either delete the missing files/folders from the project, or keep them in the project, in which case they appear in red in the project view (and are not added to a subsequent encrypted media image unless available at media creation time).
If any new files or folders are found in source folders already included in the project, a dialog box prompts the user to either add the new files or folders to the project, or ignore them.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing user local keys and media encryption
Managing CD/DVD/ISO media
2
The rescan behavior can be instigated at any time by right ‑clicking the project file and selecting rescan from the context menu. The rescan occurs from the currently selected item of the tree view. To do a full rescan, select of the root of the tree view.
Once a project has been created or opened successfully, an estimate of the size of the resultant media is shown, along with a description of the physical media that can be burned to.
Select files and folders to encrypt to a CD/DVD/ISO
You can select the required files and folders to encrypt to a CD/DVD/ISO using the McAfee Encryption for
CD/DVD/ISO page.
Task
1
Click the McAfee icon on your taskbar, then select Manage Features | Endpoint Encryption for Files and
Folders to open the client console.
2
In the left pane, click Create CD/DVD/ISO Media under CD/DVD/ISO Media to open the McAfee Encryption for
CD/DVD/ISO page.
The McAfee Encryption for CD/DVD/ISO page can also be launched in two other ways:
• From the Windows Explorer pane, select the required files/folders, then right ‑click and select McAfee Endpoint Encryption | Add to Encrypted CD/DVD.
• Locate a previously saved project file with the .emo extension, then double
‑click the file to open the McAfee Encryption for CD/DVD/ISO page.
3
Drag and drop the required files and folders from the Folders pane to the Project File pane.
The Image Properties pane shows the appropriate total media size required for the selected files and folders.
You can delete the selected files and folders from the Project File pane using the delete option. You can save or load a project file describing the image contents from the File menu or the toolbar.
4
Click Next to open the Create McAfee Encrypted CD/DVD/ISO dialog box.
Create McAfee Encrypted CD/DVD
You can burn the selected files and folders to the inserted CD or DVD for secure authentication and access to the data.
Task
1
Open the Create McAfee Encrypted CD/DVD/ISO page.
2
In the Disk Title field, type the name to be assigned to the media, which is displayed when the media is inserted, following the ISO 9660 conventions:
• Maximum 15 characters
• Uppercase A to Z, numbers 0 to 9, and underscore symbol only
3
In the Burn device field, select the appropriate media device from the list.
The available options include any suitable burner devices identified on the system as well as the
Create ISO image option. For each device selected, a list of media sizes that is supported appears.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
19
2
Managing user local keys and media encryption
Managing CD/DVD/ISO media
4
In the Media Type field, the smallest media to which the data should be written to is specified. This media must always be at least as large as the smallest suitable media type estimated.
This refers to the type of media, not the specific format of media. For instance, CD ‑RW and CD‑R are considered to be of type CD.
5
In the Copies field, you can specify multiple (up to 10) copies of the same data.
6
Select the Verify checkbox to confirm the disc burning.
7
In the Password field, type the required password that will be used to authenticate to the resultant media.
The password must conform to the rules defined in the EEFF password policy applied to the system.
8
In the Confirm field, type the same password again.
9
Click Burn CD/DVD to write the required files and folders to the inserted disc.
The Write McAfee Encrypted CD/DVD/ISO page appears.
Create McAfee Encrypted ISO image
You can create a securely encrypted ISO image that when burned to a disc or mounted using a third
‑party tool allows secure authentication and access to the data.
Task
1
Open the Create McAfee Encrypted CD/DVD/ISO page.
2
In the Disk Title field, type the name to be used for the ISO image (.iso) file, following the ISO 9660 conventions:
• Maximum 15 characters
• Uppercase A to Z, numbers 0 to 9, and underscore symbol only
3
In the Burn device field, select Create ISO Image.
4
In the Destination field, enter the full path or click Browse to select the required destination folder for the ISO image, then click OK.
5
In the Password field, type the required password that will be used to authenticate to the resultant media.
The password must conform to the rules defined in the EEFF password policy applied to the system.
6
In the Confirm field, type the same password again.
7
Click Create ISO to create an .iso file of the selected files and folders to the local system.
The Write McAfee Encrypted CD/DVD/ISO page appears.
20
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
3
Managing encryption and decryption of files and folders
The EEFF context menu provides easy access to EEFF options for files and folders.
When you right ‑click a file or folder, the context menu appears and displays the options enabled by your administrator, according to your company's security policies. The same options are available for files and folders.
Contents
Search for encrypted files or folders
Attach a self-extractor to an email
Add files and folders to encrypt to a CD/DVD/ISO
Attach an encrypted file to an email
Encrypt a file or a folder
You can manually encrypt a file or folder to prevent unauthorized access to its contents. This is particularly important for confidential information. You do this using the Encrypt option on the context menu, or from Encryption tab of the file or folder's Properties dialog box.
Before you begin
Make sure that the file you want to encrypt is not being used by any application.
Task
1
Right ‑click the file or the folder to be encrypted, then select McAfee Endpoint Encryption | Encrypt. The
Select key dialog box appears.
This option is not available if the folder has been encrypted by a policy defined by an administrator.
2
Select the key you want to use to encrypt the file, then click OK.
Click Details to view additional information about the selected key.
Depending on the policy settings, a padlock appears on the file or folder, indicating that it is encrypted with the selected key.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
21
3
Managing encryption and decryption of files and folders
Decrypt a file or a folder
Decrypt a file or a folder
You can decrypt an encrypted file using the Decrypt option on the context menu, or from the Encryption tab of the file or folder's Properties dialog box.
Before you begin
Make sure that the file you want to decrypt is not being used by any application.
Task
•
To decrypt a file or a folder:
• Right ‑click the file or the folder, then select McAfee Endpoint Encryption | Decrypt.
This option is not available if the file or folder has been encrypted by a policy defined by an administrator.
• Right ‑click the file or the folder, then select Properties. On the Encryption tab, select <plaintext> as Key
name, then click Apply.
File decryption and folder decryption might require authentication if the encryption key needed for the decryption is not available.
Search for encrypted files or folders
The Search encrypted option on the context menu enables you to search for encrypted files and folders in a specified location.
Task
1
Right
‑click on the folder, then select McAfee Endpoint Encryption | Search encrypted. The Search: encrypted files
and folders dialog box appears.
2
Select if you want to search for files and folders, and for the keys that are used to encrypt the files or folders.
3
Browse to specify the folder path, then select Include sub
‑folders to search subfolders for encrypted files or folders.
4
Click Search.
After the search is complete, objects that match the search criteria are listed. You can select objects and perform actions on them.
Create a self-extractor
Self
‑
extractors are password ‑encrypted executable files that can also be decrypted on systems that are not running EEFF. The password used to create the self ‑extractor is required to read it.
You can change the name of the self ‑extractor. By default, its name is the same as the source file or folder with the *.exe extension.
22
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Managing encryption and decryption of files and folders
Attach a self-extractor to an email
3
Task
1
Right ‑click the file or folder that you want to create a self‑extractor for, then select McAfee Endpoint
Encryption | Create Self
‑Extractor (<filename>.exe). The Package and encrypt dialog box appears.
2
Enter the password you want to use to encrypt the self ‑extractor, then click OK.
• The source file or folder remains intact on disk; only a copy of the file or folder is converted into a self
‑extractor.
• You can also specify where to save the self
‑extractor. The default location is the same as the source file or folder location.
Read a self-extractor
You can read self ‑extractors on any client system running Windows XP SP3 or later. You can also read self ‑extractors on a non‑EEFF client, as long as you have the rights to run an executable file.
Make sure that you have the password that was used to create the file. (The creator of this file must share the password with the recipient of the file in a secure manner.)
Task
1
Double ‑click the self‑extractor and provide the password used to create the file.
The content of the self ‑extractor automatically opens in the associated application.
The content is not automatically saved to disk. When you close the application that opened the unpacked self ‑extractor content, the unpacked content is removed from the disk.
2
To save the self ‑extractor content to disk, click Advanced, then select Extract and specify the location.
Attach a self-extractor to an email
You can attach a file or a folder as a self
‑extractor to an email.
The self
‑extractor is packaged into a *.cab file, which can be attached to an email. You can attach a file or a folder as a self
‑extractor using any email program.
Email messages sent with a *.cab self
‑extractor attachment might be blocked by a recipient's virus protection program.
Task
1
Right
‑click the file or folder where you want to create a self‑extractor, then select McAfee Endpoint
Encryption | Attach Self
‑Extractor to E‑mail. The Package and encrypt dialog box appears.
2
Enter the password you want to use to encrypt the self
‑extractor, then click OK.
The source file or folder remains intact on disk; only a copy is converted into a self
‑extractor and attached to an email.
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
23
3
Managing encryption and decryption of files and folders
Add files and folders to encrypt to a CD/DVD/ISO
Add files and folders to encrypt to a CD/DVD/ISO
You can select the required files and folders to encrypt to a CD/DVD/ISO using the Add to encrypted
CD/DVD option on the context menu. This option allows securely encrypted data to be written to optical media or ISO images.
For details on how to select files and folders to encrypt to a CD/DVD/ISO, see Select files and folders
to a CD/DVD/ISO.
Attach an encrypted file to an email
You can send a file (plain text or encrypted) in a protected way. The recipient must have EEFF installed and must have access to the encryption key.
If you attach an encrypted file to an email without using Attach encrypted to E ‑mail, the file is attached as plain text even if the file is encrypted on disk. The source file is still encrypted, but the copy attached to the email is sent to the recipient in plaintext (unprotected).
You can attach self ‑extractor files up to 10 MB in size.
Task
1
Right ‑click the file, then select McAfee Endpoint Encryption | Attach encrypted to E‑mail. The Select protection keys dialog box appears.
2
Select the key you want to encrypt the file with, then click OK. A *.sba file is attached to the email.
24
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
Index
A
about this guide
authentication method user local keys
authentication recovery
C
CD/DVD
CD/DVD/ISO encryption
managing
conventions and icons used in this guide
D
documentation
typographical conventions and icons
E
EEFF console, launching
EEFF client
encrypted files attach
encryption
CD/DVD
ISO
F
features
McAfee Endpoint Encryption for Files and Folders 4.2
files
decrypt
encrypt
folders
decrypt
encrypt
I
image
initialization, removable media
ISO
ISO image
K
key storage
keys, user local
M
McAfee ServicePortal, accessing
P
persistent encryption
protection, change mechanism
EERM
R
recovery methods
User Guide
25
Index
removable media
authentication method
initialize
update protection mechanism
S
self-extractors attach
create
ServicePortal, finding product documentation
T
Technical Support, finding product information
U
user local keys about
changing authentication method
recovering
26
McAfee Endpoint Encryption for Files and Folders 4.2
User Guide
00
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 5 Preface
- 5 About this guide
- 5 Audience
- 5 Conventions
- 6 Find product documentation
- 7 1 Introduction
- 7 EEFF and data protection
- 7 How EEFF works
- 8 Features
- 9 2 Managing user local keys and media encryption
- 9 The EEFF console
- 10 Manage user local keys
- 11 User local keys
- 11 Create a user local key
- 12 Delete a user local key
- 12 Rename a User Local key
- 13 Export user local keys
- 13 Import user local keys
- 14 Recover user local keys
- 14 Change user local key authentication method
- 15 Manage Endpoint Encryption for Removable Media
- 15 Initialize removable media
- 16 Recover removable media
- 17 Change the EERM authentication details
- 17 Managing CD/DVD/ISO media
- 18 Writing McAfee Encrypted CD/DVD/ISO
- 18 Working with McAfee Encryption for CD/DVD/ISO projects
- 19 Select files and folders to encrypt to a CD/DVD/ISO
- 19 Create McAfee Encrypted CD/DVD
- 20 Create McAfee Encrypted ISO image
- 21 3 Managing encryption and decryption of files and folders
- 21 Encrypt a file or a folder
- 22 Decrypt a file or a folder
- 22 Search for encrypted files or folders
- 22 Create a self-extractor
- 23 Read a self-extractor
- 23 Attach a self-extractor to an email
- 24 Add files and folders to encrypt to a CD/DVD/ISO
- 24 Attach an encrypted file to an email
- 25 Index
- 25 A
- 25 C
- 25 D
- 25 E
- 25 F
- 25 I
- 25 K
- 25 M
- 25 P
- 25 R
- 26 S
- 26 T
- 26 U