Endpoint Encryption for Files and Folders 3.2.1 User Guide - McAfee

McAfee, Inc.McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, USATel: (+1) 888.847.8766For more information regarding local McAfee representatives please contact your localMcAfee office, or visit:www.mcafee.comDocument: Endpoint Encryption for Files and Folders User GuideLast updated: Friday, 19 June 2009Copyright (c) 1992-2009 McAfee, Inc., and/or its affiliates. All rights reserved.McAfee and/or other noted McAfee related products contained herein are registeredtrademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or othercountries. McAfee Red in connection with security is distinctive of McAfee brand products.Any other non-McAfee related products, registered and/or unregistered trademarkscontained herein is only by reference and are the sole property of their respective owners.

ContentsPreface ........................................................................................... 4Using this guide ............................................................................................. 4Audience ................................................................................................. 4Conventions ............................................................................................ 4Welcome ......................................................................................... 5About This Guide ..................................................................................... 5Audience ................................................................................................. 5Related Documentation ............................................................................. 6Introduction ................................................................................... 7Why Endpoint Encryption for Files and Folders? ........................................... 7Design Philosophy .................................................................................... 7How Endpoint Encryption for Files and Folders works .................................... 8The Context Menu Options (right-click menu options) .................. 12Encrypt… ............................................................................................... 13Decrypt… ............................................................................................... 14Search encrypted… (folder context menu only) ........................................... 14Create Self-Extractor ({filename}.exe)… .................................................... 15Attach as Self-Extractor to E-mail… ........................................................... 17Attach encrypted to E-mail… (files only) ..................................................... 17Reading a Self-Extractor .......................................................................... 18The tray icon options .................................................................... 21About Endpoint Encryption for Files and Folders… ........................................ 22Unload all keys ....................................................................................... 22User Local Key management options ......................................................... 22Options for EERM .................................................................................... 23Endpoint Encryption Recovery .................................................................. 23Show status ........................................................................................... 24Local key management ................................................................. 26Create Local Key…................................................................................... 27Delete Local Key… ................................................................................... 28Export Local Key… ................................................................................... 29Import Local Key… .................................................................................. 30Rename Local Key… ................................................................................ 31Recover Local Keys… ............................................................................... 32Change Local Token… .............................................................................. 33Endpoint Encryption for Removable Media (EERM) ....................... 35What is McAfee EERM? ................................................................................... 35User experience ...................................................................................... 35Index ............................................................................................ 41

PrefacePrefaceUsing this guideThis guide describes how to use the McAfee Endpoint Encryption for Files and Foldersclient.AudienceThis guide is intended for anyone who will use the Endpoint Encryption for Files andFolders client.ConventionsThis guide uses the following conventions:Bold Condensed All words from the interface, including options, menus, buttons, and dialogbox names.Courier The path of a folder or program; text that represents something the usertypes exactly (for example, a command at the system prompt).ItalicEmphasis or introduction of a new term; names of product manuals.BlueA web address (URL); a live link.NoteSupplemental information; for example, an alternate method of executingthe same command.Caution Important advice to protect your computer system, enterprise, softwareinstallation, or data.4 |

WelcomeWelcomeMcAfee is dedicated to providing you and your company with the best in security forprotecting information on computers. Applying the latest technology, informationsecurity may be deployed and used with simple yet structured and secureadministration controls.Endpoint Encryption for Files and Folders represents a technology that addresses thesecurity requirements for documents, folders, data in transit on removable devicesand stored on NAS, SAN and network (file) servers.Through the continued investment in technology and the inclusions of industrystandards we are confident that our goal of keeping Endpoint Encryption at theforefront of data protection will be achieved.About This GuideThis guide is designed to aid users when using the Endpoint Encryption for Files andFolders client. There is a minimum of user interaction and user involvement withEndpoint Encryption for Files and Folders.Still, as it is possible to policy control the degree of user involvement, users may beallowed to make certain decisions related to the encrypted environment. Thus, thisguide assists the user in whatever user operation has been allowed/enabled. Allpossible client side user operations are described, though only a subset of these mayhave been made available to the user through the policy.This guide is not a guide to the central management of Endpoint Encryption for Filesand Folders. Nor is it a guide to any other Endpoint Encryption clients. For relevantdocumentation pertaining to other products or aspects of Endpoint Encryption, pleaseconsult your McAfee representative.AudienceThis guide was designed to be used by users of the Endpoint Encryption for Files andFolders client. No particular pre-requisites apply.Should there be an interest in cryptography topics, readers are recommended thefollowing publications:• Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2ndEdition, B. Schneier, Pub. John Wiley & Sons; ISBN: 0471128457• Computer Security, D. Gollman, Pub. John Wiley and Sons; ISBN: 0471978442| 5

WelcomeRelated DocumentationThe following documents are available from your McAfee representative:• Endpoint Encryption for Files and Folders Administration Guide• Endpoint Encryption Manager Administration Guide• Endpoint Encryption for Files and Folders Quick Start Guide• Endpoint Encryption Enterprise Technical Overview• Endpoint Encryption for Files and Folders Generic PKI Token Technical WhitePaper• Endpoint Encryption for Files and Folders Self-Extractor White Paper• Endpoint Encryption for Files and Folders User Guide (this document)6 |

IntroductionIntroductionWhy Endpoint Encryption for Files and Folders?Within all organizations there are people you trust with data and people you do not. Ata basic level most IT users are probably trusted to access their computers and usetheir documents, but at a higher level – say at the board of directors, do you reallywant your system administrators to be able to read sensitive reports and shareholderinformation?Endpoint Encryption for Files and Folders allows you and your administrators to definedata protection in a way that only certain users can read it. The encrypted data isstored as normal files; it can therefore still be managed, archived, and distributed butonly understood by those who have been given proper access.Endpoint Encryption for Files and Folders is a “Persistent Encryption” engine – onceyou have encrypted a document, it’s not possible to mistakenly create a decryptedcopy of it. If you move a document out of an encrypted directory, it stays encrypted; ifyou move it to a removable device such as a memory stick, it remains encrypted.Endpoint Encryption for Files and Folders also follows the Endpoint Encryption Policycontrol methods – your Administrators can set individual, department, group, orcompanywide policies such as All .doc files will be encrypted, My Documents willbe encrypted, and Users cannot explicitly decrypt encrypted data. This policyengine uses the award winning and long standing Endpoint Encryption Manager,proven in customer installations worldwide.Design PhilosophyEndpoint Encryption for Files and Folders enhances the information security byproviding data encryption and a strong authentication using, for example, a SmartCard. You can use any login method, including passwords and national ID cards toaccess protected information.The intent of the product is to minimize user interaction related to informationprotection. Thus, the degree of user interaction is subject to policy control. It ispossible for your Endpoint Encryption Administrators to set an environment where youare not allowed to do anything at all. It’s also possible to allow you a wide range ofclient side features. The amount of user involvement is subject to encryption policies,which can be dynamically altered by your Endpoint Encryption Administrators as yourbusiness needs change.| 7

IntroductionHow Endpoint Encryption for Files and Folders worksThe Endpoint Encryption for Files and Folders client encrypts folders and documentsaccording to policies set by Endpoint Encryption Administrators, and delivered to youover the network. The Endpoint Encryption for Files and Folders client acts like a filterbetween the application creating or editing the information and the storage media,e.g. the hard disk.Whenever a document is written to supported storage media, Endpoint Encryption forFiles and Folders executes assigned encryption policies and encrypts the information ifapplicable. When an application later reads the information, the encryption engineautomatically decrypts the file when it is read into the computer memory, but:The source file is always encrypted on diskThe encryption/decryption happens automatically and is fully transparent. You won’tnotice any difference between working with encrypted and plaintext documents; yourworking procedures are not, and must not, be disturbed.When a document is encrypted, it is encrypted at its original location on the disk.Hence, no copies or other special files are created when encrypting a document. Theoriginal document remains encrypted at all times, only the parts read into the memoryare decrypted when an application, e.g. Microsoft® Word, reads the document.When the application closes the document, the memory is wiped and the originaldocument is still encrypted on disk. No decrypted traces of the document remain inthe computer memory.Endpoint Encryption for Files and Folders can encrypt documents and folders onbasically all modern platforms, whether it is the local hard disk, the file server or aUSB flash memory.Encrypted folders and documents are always visible to you. Thus, you can search for,and will recognize, documents and folders as they were before encryption. The onlydifference is a small padlock icon that can be optionally attached to the document orfolder icon, marking it as encrypted. Your Endpoint Encryption Administrator decidesthrough your policy if the padlock shall be visible or not.With Endpoint Encryption for Files and Folders, it is easy to encrypt documents andfolders. Encryption can be enforced either by a policy or by the user right-clickingfolders and documents.A key feature of Endpoint Encryption for Files and Folders is the principle ofcontainment, or persistent encryption. This means that the encrypted folder ordocument always will keep its encryption, irrespective how it is edited, moved orcopied.8 |

Introductionbackground beyond your control. The reason for this is mainly to minimize the amountof extra work you need to do when working with encrypted data. You probably onlywant to work as normal and don’t bother about the corporate information securityrules.Endpoint Encryption for Files and Folders supports three standard algorithms withvarious key lengths, including the Endpoint Encryption FIPS 140-2 certified AES-256algorithm.With central management using the Endpoint Encryption Manager, and distribution ofencryption keys using the secure Endpoint Encryption Server, it is easy to allowsharing of encrypted documents within an organization. When your EndpointEncryption Administrator assigns groups of users to encryption keys, the users in thegroup can exchange and read encrypted documents like any other document, withoutnoticing any difference. Users not assigned to the key will not be able to readdocuments encrypted with that key.Using this mechanism it is possible to protect documents and folders on shared units,e.g. a network server from unauthorized access by encrypting it with a proper key andallocating this key to authorized users only. This approach provides for encryption keyhierarchies to be created, with an organization common key at the bottom (that everyuser has), to specific department or group keys at the top (assigned only to selectedusers within that department or group).ManagementWhen you authenticate to Endpoint Encryption for Files and Folders, the softwarecommunicates with an Endpoint Encryption Server to update its policy and Folders, i.e.try to access encrypted documents or do a manual Endpoint Encryption for Files andFolders logon, provided that you are online. Endpoint Encryption for Files and Folderswill work also when offline, provided that your McAfee Administrator has made thecentral encryption key(s) available for offline use.The Endpoint Encryption Administrator creates policies that are applied to you.Whenever you logon, your policy is applied and updated. Your Endpoint EncryptionAdministrator may also force you to do an initial logon after the client has beeninstalled on your computer. You will notice such a forced logon in that you cannotclose the authentication window before you have authenticated.Endpoint Encryption for Files and Folders clientOnce the Endpoint Encryption for Files and Folders client is installed, the computerneeds to restart. After re-start, you may be forced to do a logon to retrieve the correct10 |

Introductionpolicy from the central database. If there is no connection to the central database, youwill work with the default policy as defined by Endpoint Encryption Administrator.If the forced logon is enabled, you cannot by-pass the initial logon. The authenticationdialog will remain until you have presented proper authentication details.General information about the clientWhen you try to access encrypted documents, Endpoint Encryption for Files andFolders automatically recognizes this and prompts you to authenticate. If successful,the document data is transparently decrypted and the appropriate application started.Figure 1: Endpoint Encryption for Files and Folders authentication dialog| 11

The Context Menu Options (right-click menu options)The Context Menu Options (right-clickmenu options)This chapter deals with the options that are available when you right-click a documentor folder, i.e. the context menu options. Since the context menus for folders anddocuments are almost identical as far as Endpoint Encryption for Files and Folders isconcerned, they are described here in common. Any differences in behavior between afolder context menu option and the same option in the document context menu will bedescribed accordingly.The Endpoint Encryption for Files and Folders context menu options are each markedwith the product icon in front of them, i.e. a computer with a gray padlock attached toit.Figure 2: The Endpoint Encryption for Files and Folders product iconEach of the context menu options are subject to policy control and may be madeunavailable to you by your Endpoint Encryption Administrator. When right-clickingdocument and folders you will see the entry McAfee Endpoint Encryption, which in turnhas a submenu containing the options your Administrator has enabled for you.Figure 3: Context menu when right‐clicking a document (file)12 |

The Context Menu Options (right-click menu options)As is evident from the figures above, there is a slight difference between the contextmenus for a file (document) and a folder. Each context menu is described below. If anoption is not applicable to a file or a folder, the text will state so.Encrypt…This option allows you to manually encrypt a file (document) or folder. In someoccasions, you may actually see the option in your context menu, but it is “grayedout”, i.e. you cannot select the option. This is because the file or folder you try toencrypt already is set as encrypted by the corporate security policy. In order toprevent you from deviating from what has been centrally defined, you cannot changethe encryption status of documents and folders that are controlled by a centralencryption policy.When selected (if enabled and active), the option opens up an encryption dialog whereyou can make a key selection.Figure 4: Endpoint Encryption for Files and Folders– Encrypt options (folders)You may change the following:Select keyYou can select what encryption key to use from a drop-down menu.Details >>This button opens up a dialog displaying additional information about the selectedencryption key.When you have selected your encryption key, click OK to launch the encryption. Youmay be asked to authenticate if the encryption key selected is not present.Depending on the amount of data to encrypt, there may be a bar stating the progressof the encryption. At the end of the encryption, a dialog is presented telling the resultof the encryption. In some cases, the product may fail to encrypt some documents in afolder. Most typically, this is because the document is opened by another application.For example, if encrypting a text document while having the document open forediting, the encryption will fail. The application must first be closed and then reencryptingthe document using the right-click operation.| 13

The Context Menu Options (right-click menu options)Decrypt…This option allows you to manually decrypt a file or folder. In some occasions, youmay actually see the option in your context menu, but it is “grayed out”, i.e. youcannot select the option. This is because the file or folder you try to decrypt is set asencrypted by the corporate security policy. In order to prevent you from changingwhat has been centrally defined, you cannot change the encryption status ofdocuments and folders that are controlled by a central encryption policy.When selected (if enabled and active), the option directly decrypts the selected fileand folder.For both file decryption and folder decryption you may be asked to authenticate if theencryption key needed for the decryption is not present.Again, the decryption happens immediately (without any intermediate dialog) providedthe user has proper rights to do so.Depending on the amount of data to decrypt, there may be a bar stating the progressof the decryption. At the end of the decryption, a dialog is presented telling the resultof the decryption. In some cases, the product may fail to decrypt some documents in afolder. Most typically, this is because the document is opened by another application.For example, if encrypting a text document while having the document open forediting, the decryption will fail. The application must first be closed and then redecryptingthe document using the right-click operation.Search encrypted… (folder context menu only)This function allows you to search for encrypted documents and folders on the locationyou specify. This option is only available when right-clicking a folder, or the WindowsStart button. When selected, a search dialog opens up that allows you to specify thedetails of the search.14 |

The Context Menu Options (right-click menu options)Figure 5: Endpoint Encryption for Files and Folders– Search dialogSpecify the parameters for the search, e.g. search for all files (documents) and foldersencrypted with a particular key (or ) on this location. You may also select tosearch for encrypted files only, encrypted folders only or both. At the bottom, you mayalso select if you want to include all subfolders in the search.Enter the location for the search start, either by typing in the correct location or byclicking the Browse… button.When ready, click Search to launch the search. As the search progresses, matchingobjects found will be displayed in a list.Once the search is complete, the objects found may be marked with “Ctrl-A” and thenany action can be performed on them, e.g. right-click and select Decrypt.Create Self-Extractor ({filename}.exe)…This option allows you to create so-called Self-Extractors. A Self-Extractor is a specialpackage that is encrypted with a selected password only and can be read on anycomputer without installing any programs. There is no need to have EndpointEncryption for Files and Folders installed in order to read a Self-Extractor. Only thepassword used to create the Self-Extractor is needed in order to unpack and read it.When you select this option a Self-Extractor is created of whatever file (document) orfolder you choose to do the operation on. Note that the source file/folder will remainintact on disk, only a copy of the file/folder is converted into a Self-Extractor.Once the menu option is selected, you are asked to provide the password to create theSelf-Extractor:| 15

The Context Menu Options (right-click menu options)Figure 6: Entering encryption password for self‐extracting fileYou need to enter the special password that the Self-Extractor will be encrypted with.You may also specify where to save the Self-Extractor. The default location is thesame as the location of the source file/folder. Also, you may change the name of theSelf-Extractor. By default, it is named as its source file/folder with the *.exeextension.NOTE: The same password rules apply for the Self‐Extractors as for your normal Endpoint Encryptionpassword. For example, if you have a minimum password length of 6 characters for your EndpointEncryption password, the minimum password length for the Self‐Extractor is also 6 characters.By clicking advanced, you may specify where to save the Self-Extractor once created.Figure 7: Specifying the location for the Self‐ExtractorIf you like, you may browse for a suitable storage location, e.g. a USB memory stickattached to the computer, by clicking Browse.When finished, click OK, and the Self-Extractor is created. The Self-Extractor file hasthe following icon:Figure 8: Example of Self‐Extractor16 |

Attach as Self-Extractor to E-mail…The Context Menu Options (right-click menu options)When selecting this option, the Self-Extractor is automatically packaged into a formatsuited for e-mails (*.cab) and attached to a new e-mail. Any e-mail program can beused for this.Even if the *.cab files often gets through in e-mails, it may happen that e-mails sentwith a *.cab Self-Extractor attachment are blocked by the recipients anti-virusprogram.Before you can create the Self-Extractor as an attachment, you are asked to provide apassword to be used to encrypt the Self-Extractor.Figure 9: Entering encryption password for Self‐Extractor to e‐mail attachmentBy clicking OK, the attachment is created in a new e-mail ready to be sent.Attach encrypted to E-mail… (files only)This option allows you to send a particular document (plaintext or encrypted) in aprotected way to a colleague that also has Endpoint Encryption installed. The optioncreates a special encrypted format of the document and attaches it automatically to ane-mail that you can send. The recipient must have Endpoint Encryption for Files andFolders installed and also have access to the encryption key used when creating theencrypted attachment.NOTE: If you attach an encrypted document to an e‐mail without using the Attach encrypted to E‐mail...function, the document will be attached in plaintext even if the document is encrypted on disk. Thesource document will still be encrypted though, but the copy created as attachment will be in plaintext andthe recipient will receive it in plaintext.The following is a step-by-step instruction to the user how to send a document as anencrypted e-mail attachment.Creating and sending the attachmentSelect documentSelect the document that shall be sent as an encrypted attachment by right-clicking itand select Encrypt and E-Mail.... It also possible to right-click the file and selectSend To> Mail recipient (Encrypted).| 17

The Context Menu Options (right-click menu options)NOTE: The decision to send a particular document as an encrypted attachment is done outside your e‐mailapplication. The Attach encrypted to E‐mail... operation is selected directly on the document and not fromwithin your e‐mail program. The encrypted attachment will then automatically be attached to whatever e‐mail program is used as a new e‐mail.Select encryption keyThe dialog that opens up will ask for a selection of encryption key for the attachment.If the document is already encrypted, it is possible to proceed by clicking OK.However, in that case the recipient must also have the key the document is alreadyencrypted with.If the document was not already encrypted, the user cannot click OK before anencryption key is selected from the list of available keys.Select the encryption key to be used for the attachment and then click OK to continue.Authenticate and SendDepending on if the selected key is available or not, you may be prompted toauthenticate before proceeding. Once the attachment is created and encrypted, it willautomatically be attached to a new e-mail that is created. You can then fill in the restof the e-mail and then send it.Reading the attachmentFor the recipient to read the attachment, first ensure that Endpoint Encryption for Filesand Folders is installed and that the user can access the encryption key used toencrypt the attachment.Then the recipient simply double-clicks the attachment and it will open in its correctprogram. If the key used to encrypt the attachment is not available, the recipient mustfirst authenticate.The recipient may read the attachment and save it in an encrypted state.Reading a Self-ExtractorFor any of the two creation scenarios described above regarding Self-Extractors,opening the Self-Extractor is done in the same manner. For e-mail attachments,however, the Self-Extractor file must first be unpacked from its *.cab file. This istypically done automatically when double-clicking the *cab file.Then just double-click the Self-Extractor. You will be prompted for the specialpassword used to create the Self-Extractor. Thus, the creator of this file must submitthe password to the recipient of the file in a secure manner.18 |

The Context Menu Options (right-click menu options)Figure 10: Opening (decrypting) a Self‐ExtractorBy default, after typing the correct password the content of the Self-Extractor willopen up automatically in the associated application However, the content won’t beautomatically saved to disk. When the user closes the application that opened upthe unpacked Self-Extractor content, the unpacked content will be wiped from thedisk. If the user instead wants to save the Self-Extractor content to disk, theAdvanced >> button must be selected.This opens up an extra dialog where the user may select what to do with the unpackedand decrypted Self-Extractor.Figure 11: Selecting what to do with the content of the Self‐ExtractorBy default, the open-close-wipe option is selected. If the Extract option is selectedinstead, the user may select where to permanently save the unpacked and decryptedSelf-Extractor. The user may browse for a suitable location with the Browse button.Figure 12: Selecting storage location for the unpacked Self‐Extractor| 19

The Context Menu Options (right-click menu options)Self-Extractors may be read on any computer running Windows 2000 and later. Thereis no need to have the Endpoint Encryption for Files and Folders client installed. Nor isthere any need to have local administrator rights in order to open a Self-Extractor.20 |

The tray icon optionsThe tray icon optionsThis chapter deals with the options that are available from the Endpoint Encryptionproduct tray icon menu. When you have had Endpoint Encryption installed on yourcomputer, you will see a new icon in your system tray, i.e. the bar of icons typicallylocated at the bottom right corner of your screen. The Endpoint Encryption tray icon iscommon for all Endpoint Encryption products installed and it looks as follows (acomputer with a gray padlock attached to it):Figure 13: The Endpoint Encryption product tray iconDepending on how many Endpoint Encryption products you have installed, the contentof the menu when you right-click this icon will differ. The below image shows themenu when only Endpoint Encryption for Files and Folders is installed.Figure 14: Endpoint Encryption for Files and Folders tray icon menu optionsSome of these options may not be visible to you. This means that they have beendisabled for you in your encryption policy by your Endpoint Encryption Administrator.Each of the menu options is described below.In addition to these options, the following options may be listed:• Initialize Removable Media...• Recover Removable Media...• Change Removable Media Authentication...| 21

The tray icon optionsThese three options pertain to the Endpoint Encryption for Removable Media (EERM)feature and are all subject to policy control, i.e. if EERM is not enabled in your policy,these options will not appear.About Endpoint Encryption for Files and Folders…This dialog opens up a window that contains a description of your installation ofEndpoint Encryption for Files and Folders. Typically, there is no need for the regularuser to get acquainted with the content of the About… window. Should you have anyquestions about this option, please contact your Endpoint Encryption Administrator.Unload all keysSelecting this option effectively closes all encryption keys that are available to yoursystem. This means that you need to authenticate again before you can accessencrypted data, i.e. you need to open the keys for use again. It is good securitypractice to close all keys before you leave your computer unattended for a period oftime. However, there are also other security parameters in Endpoint Encryption forFiles and Folders that your Endpoint Encryption Administrator may have enabled forautomatic key closing. Ask your Endpoint Encryption Administrator about proper use ofthis manual option.User Local Key management optionsThere is a section in the tray icon menu that contains options for your locallygenerated encryption keys, if applicable.Figure 15: Endpoint Encryption for Files and Folders user local key management optionsAll these options are described in the Local key management chapter.22 |

Options for EERMThe tray icon optionsThese options are enabled if EERM is selected as protection method for removablemedia. Details on each option can be found in the Endpoint Encryption for RemovableMedia (EERM) chapter.Endpoint Encryption RecoveryThis option starts the recovery process, should you have forgotten your EndpointEncryption password. Follow the wizard that starts when you select this option. Therecovery process requires interaction with the Endpoint Encryption central database.This is facilitated by either calling your helpdesk, or by using the Endpoint EncryptionWeb Recovery. Please consult your Endpoint Encryption Administrator for whatrecovery procedure applies to you.You don’t need to be online in order to do a recovery. Recovery will work even ifyou have no contact with any network.The explanation below assumes a verbal interaction with your helpdesk; the webrecovery approach is very similar.1. Call your helpdesk according to your organization principles.2. Start the recovery wizard from you tray icon menuFigure 16: Recovery start from tray icon menu3. Enter your Endpoint Encryption user name and click Next >.4. Read out the challenge code to your helpdesk operator, click Next >.5. (Answer any validation questions asked by your helpdesk)| 23

The tray icon options6. Enter the response codes that your helpdesk reads out to you, after each lineclick Enter. If you mistype a code, you will be notified about this.7. After entering the last code, click Next >. You will then be asked to enter anew password. Note that you still need to comply with the password qualityrules of your organization.Figure 17: Selection of new password after completed recovery8. Once you have selected a new password, click OK to proceed and finish therecovery. Click OK to close the confirmation dialog and then Finish tocomplete the recovery. You can use the new password immediately to logon toEndpoint Encryption.For recovery of lost smart cards or other authentication tokens, please ask yourhelpdesk for appropriate procedures.Show statusThis option opens a dialog presenting the ongoing activities in the Endpoint Encryptionfor Files and Folders client. For example, if the client is active in encrypting the contentof a network folder, it will be displayed in the dialog along with an approximation forhow long it will last.There are also two buttons available:DiagnosticsThis button automatically creates an e-mail with an attachment using thesystem default e-mail application. The attachment contains non-sensitiveinformation for support purposes. The better description of the machineneeding support, the better understanding the support staff will get and thusthe chance of a quick resolution of the support issue is improved.24 |

The tray icon optionsThe e-mail with the attachment shall be sent to your Helpdesk along with adescription of the support issue.Again, it is important to stress that no secret or sensitive information iscollected. Under no circumstances is sensitive information about encryptionkeys included, nor are any encryption keys, or pieces of these, ever included.As you may verify by reviewing the attachment in a standard Web browser,there is no data disclosure of documents stored on the computer.SynchronizeThis button triggers a client synchronization with the Endpoint Encryptioncentral system. See next section for details.SynchronizationSynchronizing Endpoint Encryption for Files and Folders triggers an authentication tothe central Endpoint Encryption system. During synchronization, your policy is updatedto reflect any changes in the Endpoint Encryption central system. Also, all encryptionkey assignments and settings are updated.Also, any successful Endpoint Encryption for Files and Folders authentication, whenonline with the central system, automatically updates your policy and the encryptionkey settings. Hence, it is not necessary to do a manual Synchronization to get thepolicy updated; yet the option exists for immediate synchronizations.| 25

Local key managementLocal key managementThis chapter deals with the different options related to user local encryption keys, i.e.encryption keys that you create on your own and that you manage on your own.If allowed by the policy that your Endpoint Encryption Administrator has assigned toyou, you can create your own encryption keys; i.e. encryption keys that no one elsebut you can see or manage. The only one that can manage your keys is you. You willdecide with whom you want to share your encryption keys such that more persons canread data encrypted with your key, if needed.If you have local keys enabled in your policy, you will see an entry for this in the trayicon menu which appears when you right-click the product icon in the system tray.Depending on the number of Endpoint Encryption products installed on your computer,this menu may look different than below. The image below shows a tray icon menuwhere only Endpoint Encryption for Files and Folders is installed.Figure 18: User local keys tray icon menu optionsEach of the local key options is subject to policy control and may be disabled for you.If disabled, the corresponding entry won’t be listed in the menu.For user friendliness, each of the menu options starts a wizard when selected. Thewizard will help you through all the steps needed to complete the action you selected.In the following paragraphs, each local key menu option is described in text, wherethe wizard steps are listed, along with important details.26 |

Create Local Key…Local key managementThis option starts a wizard that creates an encryption key. The encryption keys arestored in so-called “Key Stores”. Each Key Store is protected with either a passwordthat you select (password token), or with your digital certificate (PKI token). You willselect the proper token when you create the key store.Your Key Store may be stored either on your computer’s hard disk, or on a removablestorage media, typically a USB memory stick. It is possible to have one Key Store onthe hard disk and another on removable storage, where each Key Store holds differentkeys.If there are no Key Stores available when you select this menu entry, the wizard willhelp you to first create a Key Store.The Create Local Key WizardThe following steps constitute the Create Local Key… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select storage location – Select where you want to place your key store fromthe drop-down menu. If you want to place the key store on a USB memory stick,then make sure the drive is inserted before you start this wizard. When ready,click the button Next > to continue.3. Choose protection mechanism – If you create a new key store, you will beasked to select how you want to protect this key store. There are two options: a)passwords or b) digital certificates. Only select (b) if you have a digital certificateavailable. Depending on if you select (a) or (b), the next dialog will differ.• Password protected – You will be asked to enter the password you wantto use. Confirm the password and click Next > to continue. Note that thesame password quality rules apply as for your normal Endpoint Encryptionpassword, e.g. if your Endpoint Encryption password must contain at leasttwo numbers, then the password for your local keys must also contain atleast two numbers.• Certificate protected – Select the certificate you want to use from thelist of available certificates. If you do not have a certificate available, thelist will be empty. If so, consult your IT Administrator for informationabout what certificates you should have access to. Select the certificateyou want to use and then click Next > to continue.| 27

Local key management4. Key name and timeout – Give the key an appropriate name and also select theinactivity timeout for the key from the drop-down menu. The inactivity timeoutdefines how long a key can remain unused in memory. When the timeout isreached, you’ll need to authenticate before you can access encrypted documentsagain. When ready, click Next > to continue.5. Create random input – Move the mouse and/or type the keyboard in a randommanner to create a good random input to the key to be created. When ready, clickNext > to continue.6. Summary page – This page shows a summary of the key creation just finished.You will find the parameters you could change listed, among some otherinformation that you cannot change. Click Next > to continue.7. Logon to Endpoint Encryption – You may be asked to authenticate to EndpointEncryption before you can complete the wizard. The reason is that you need toaccess the corporate recovery key that will be used when you create your keystore. The corporate recovery key provides for a recovery mechanism such thatyou can recover your local keys if you, for example, forget your password. If youcreate a key in an existing key store, then you may also need to enter thepassword (or certificate PIN code) for the existing key store before you cancomplete the wizard. This is all due to security.8. Completion page – This page completes the wizard. Click Finish to close thewizard.Ensure you give your encryption keys unique names, ideally reflecting the purpose ofthe key, e.g. My Private Key, Mail Key, Project X Key, etc. The system allows keys tohave identical names, therefore, lack of a proper naming convention may causeconfusion as to what key to use, and more importantly - what keys can safely bedeleted.Delete Local Key…You may delete encryption keys that are no longer used or that have been mistakenlycreated. Remember, be very careful when deleting encryption keys. A deletedencryption key cannot be recovered. Consequently, documents encrypted with adeleted key can never again be opened.NOTE: Again, if enabled, use the Delete Local Key operation very carefully! Make sure you use the Searchencrypted… function (in the search dialog, specify the key you intend to delete) to find possible documentsencrypted with the key you intend to delete.28 |

Local key managementThe Delete Local Key wizardThe following steps constitute the Delete Local Key… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select key – Select the key you want to delete from the list of available keys inthe drop-down menu. Please observe that deleting keys is a one-way process. Adeleted key cannot be recovered. When ready, click Next > to continue.3. Confirmation dialog – This dialog leaves room to confirm that you have selectedthe right key to delete. If you have selected the wrong key, simply click < Backand redo the selection. Click Next > to continue.4. Authentication – Before completing the deletion, you have to authenticate evenif the key store is open. This is due to security reasons.5. Completion page – This page completes the wizard. Click Finish to close thewizard.Export Local Key…If you want to share encrypted documents with other users, you must all share theencryption key(s) used to encrypt the documents.In order to share encryption keys that you have created with other users, you need toexport the key to these other users. These other users must in turn import the keyyou have exported. When exported, the encryption key is packaged into a protectedformat, a file with SKS as extension. The SKS file is protected with a password thatyou select when creating it. In order to import the file, the users must know this“transport password”. The SKS file may very well be sent as an e-mail attachment.However, make sure you don’t send the “transport password” in that same e-mail. Tryto always communicate the “transport password” in another way, e.g. in a cell phoneSMS message, or verbally communicated over the phone.The Export Local Key wizardExporting a key is facilitated by a wizard. The following steps constitute the ExportLocal Key… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select key to export – From the drop-down menu, select the encryption key youwant to export. Note that it is only possible to export encryption keys that youhave created on your own. It is not possible to export keys that have been| 29

Local key managementcreated in the central Endpoint Encryption database. When ready, click Next > tocontinue.3. Select where to save the SKS file – Select the location where you want to savethe exported encryption key (SKS file). You may click the Browse… button tobrowse for another location than the one suggested by default. When ready, clickNext > to continue.4. Enter “transport password” – Enter the password you want to use to protectthe package containing the key (SKS file) while in transit. Confirm the passwordand click Next > to continue.5. Summary page – This page shows a summary of the export operation. If youwant to change anything, simply click < Back and make the changes. Otherwise,click Next > to continue.6. Completion page – This page completes the wizard. Click Finish to close thewizard.7. Logon to Endpoint Encryption – You may need to authenticate to EndpointEncryption because of security reasons. If prompted, enter your EndpointEncryption credentials and then click OK.8. Authenticate to key store – As key export is a security critical operation, youwill be requested to authenticate to the key store holding the key you try toexport. Authenticate with the proper credentials and then click OK to complete theexport. The SKS file is now created in the location you specified in step (3) above.You may now provide the SKS file to other users in order to share the encryption key.Again, the other users must first import the encryption key and also be notified aboutthe “transport password” you selected. Import of encryption keys is described next.Import Local Key…To import an encryption key, you first need to create a key store where you can placethe imported key, unless you already have a key store available. Creating key stores isdescribed in the section.Once a key store is available, you may import encryption keys from other users suchthat you can share encrypted documents. Importing a key is facilitated by a wizard.The Import Local Key wizardThe following steps constitute the Import Local Key… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.30 |

Local key management2. Find the location of the SKS file – Specify the location where you have savedthe exported key (SKS file) that you have received. You may click the Browse…button to browse for the file. When ready, click Next > to continue.3. Select key store – Select to what key store you want to import the key. Youravailable key stores are listed in the drop-down menu. When you have selectedkey store, click Next > to continue.4. Summary page – This page shows details about the import operation. If youwant to change anything, simply click < Back and make the changes. Otherwise,click Next > to continue.5. Enter transport password – In the next step, you are asked to enter thetransport password that you should have received. If you don’t have thispassword, contact the user who exported the encryption key to you. You won’t beable to complete the import before you have entered the correct transportpassword.6. Authenticate to key store – As key import is a security critical operation, youwill be requested to authenticate to the key store you selected to place theimported key in. Authenticate with the proper credentials and then click OK tocomplete the import.7. Completion page – This page completes the wizard. Click Finish to close thewizard.You may now use the encryption key you have imported. It will be listed among yourother encryption keys. You can now also read documents encrypted with that key.Rename Local Key…You can easily change the name of the encryption keys you have created. Rememberto name your encryption keys wisely, e.g. after its purpose.The Rename Local Key wizardThe following steps constitute the Rename Local Key… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select key to rename – Select the key you want to rename from the drop-downmenu. When ready, click Next > to continue.3. Enter new name – Enter the new name for the key. You cannot give the key a“blank” name, nor can the name start with a space. When ready, click Next > tocontinue.| 31

Local key management4. Summary page – This page shows a summary of the rename operation. If youwant to change the name again, simply click < Back and retype the name.Otherwise, click Next > to continue.5. Completion page – This page completes the wizard. Click Finish to close thewizard.Recover Local Keys…Should you have forgotten the password for locally generated keys, or if you have lostthe token holding your certificate, then you need to perform a recovery operation. Therecovery operation is assisted by a wizard. The recovery involves the use of thecentral recovery key. Thus, you may be prompted for your Endpoint Encryption centralpassword in order to access the recovery key in the recovery process.The Recover Local Keys wizardThe following steps constitute the Recover Local Keys… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select key store to recover – From the drop-down menu, select the key storeyou want to recover, i.e. the key store you have lost the credentials for. Whenready, click Next > to continue.3. Enter new credentials – Depending on if the key store was a) password orcertificate protected, the next dialog will look somewhat different.• For password protected key stores, a dialog will prompt you to enter a newpassword. Confirm the password you select and click Next > to continue. Youmay click < Back if you want to step back and change the password. Notethat the password you select for your local keys must follow the samepassword quality rules as your normal Endpoint Encryption password, e.g. ifyour Endpoint Encryption password must be at least 6 characters long, thenthe password for your local keys must also be at least 6 characters long.• For certificate protected key stores, a dialog will ask you to select a newcertificate to use to protect the key store. You should have been provided anew certificate from your IT Administrator, should you have lost the tokencontaining the old certificate. Select what other certificate to use and clickNext > to continue. You may click < Back if you want to step back andchange certificate.32 |

Local key management4. Summary page – This dialog shows information about the recovery to beperformed. Click Next > to continue, or click < Back if you want to step back andchange anything.5. Authenticate to Endpoint Encryption – In order to complete the recovery, youneed to access the central recovery key that your Endpoint EncryptionAdministrator has selected to be used for recovery. Enter your Endpoint Encryptioncredentials when prompted and click OK to continue.6. Completion page – This page completes the wizard. Click Finish to close thewizard.Change Local Token…You may change the protection mechanism for your key stores at any time using theChange Token… wizard. For example, you may want to change from password tocertificate protection when you have been given a smart card with your corporatedigital certificate. Also, if you want to change the password for an existing localkey store, this wizard is the one to follow.The Change Local Token wizardThe following steps constitute the Change Token… wizard:1. Welcome dialog – The opening dialog presents some information about what thewizard will accomplish. Click Next > to continue.2. Select key store – Select the key store you want to change protectionmechanism, or password, for from the drop-down menu. When ready, click Next> to continue.3. Select new token – Select what token you want to change to. Depending on ifyou choose a) password protection or b) certificate protection, the next dialog willdiffer.• If password protection is selected, you will be asked to enter the (new)password you want to use. Confirm the password you select and click Next >to continue. You may click < Back if you want to step back and change thepassword. Note that the password you select for your local keys must followthe same password quality rules as your normal Endpoint Encryptionpassword, e.g. if your Endpoint Encryption password must be at least 6characters long, then the password for your local keys must also be at least 6characters long.• If you selected digital certificate protection, you will be asked to select acertificate from the list of available certificates. If the list is empty, then no| 33

Local key managementfunctional certificate is available. Contact your IT Administrator if you haveproblems importing digital certificates. Select what certificate to use and clickNext > to continue. You may click < Back if you want to step back andchange certificate.4. Enter (old) token credentials – You will be asked to enter the (old) credentialsfor the key store you are trying to change protection mechanism for. Enter theappropriate credentials and then click OK to continue.5. Summary page – A dialog shows a summary of the token change operation. ClickNext > to continue.6. Completion page – This page completes the wizard. Click Finish to close thewizard.34 |

Endpoint Encryption for Removable Media (EERM)Endpoint Encryption for RemovableMedia (EERM)What is McAfee EERM?McAfee Endpoint Encryption for Removable Media (EERM) is a software solution thatprotects removable devices; primarily, USB thumb drives commonly referred to as“memory sticks”. However, any attached removable storage can be protected withEERM, except for CDs/DVDs and floppy disks.User experienceWorkflowWhen you insert a non-protected removable device on a client with EndpointEncryption for Files and Folders (EEFF) installed and the policy for removable mediaencryption states “EERM protection”, the following happens:Notification dialogThe initialization of the device starts with a notification dialog. You can choose toprotect the media, or ignore it with Yes and No, respectively. If you click No, themedia will be made Read-Only while inserted. If you select Yes, the initialization ofthe device with EERM will start according to what the policy specifies.Initialization dialogIf you select to protect the media, an initialization dialog will be presented where thecontent will depend on what is set in your encryption policy. Fill out the informationrequested in the dialog in order to finish the initialization. The fields that can be filledin are:AuthenticationIn this section you shall enter the authentication method. You can either select apassword or a digital certificate. Only one of the two methods can be selected.For the password method, you need to select a password that conforms to the defaultcomplex password rules in your organization. These password rules may well bestricter than those rules in effect for your Windows logon password.If you fail to meet the password requirements, a dialog will appear stating what thepassword rules are. Please read through and then select a password that matches therules.| 35

Endpoint Encryption for Removable Media (EERM)If you select a digital certificate for authentication, you need to point out what digitalcertificate to use for the EERM authentication.For both the password and the digital certificate field, the selection fields cannot beleft empty, i.e. you must fill in valid authentication credentials.RecoveryIn this section, you are asked to select what recovery method to use in case youforget/lose your authentication credentials. You can have multiple recovery optionsenabled at the same time.Depending on what your security administrator has set forth in your encryption policy,all available recovery mechanisms may not appear. These are the recovery methodsavailable, which your administrator will determine.Recovery keyThis method uses a Recovery key from the central management system to configurethe recovery of the device. You may be prompted to authenticate to EEFF in order toaccess this key and you cannot change the Recovery key your administrator hasselected.In a recovery situation, you will need to interact with the Helpdesk to do achallenge/response code exchange to reset your authentication password. Also, thisrecovery method can only be done from a client with the EEFF client installed.Recovery passwordThis recovery method presents you with an option to select a Master Password(Recovery password). You will enter this password in the fields that open up when thisrecovery option checkbox is marked. With this password you can recover theencrypted device without any interaction with the Helpdesk. Also, you can do thisrecovery from a computer without the EEFF client installed.Please note that the Recovery password must conform to the same password qualityrules as your authentication password. Since Password History is a part of the hardcoded password rules, this means that the Recovery password cannot be set to thesame password as the authentication password.Recovery certificateThis option presents you with an option to select a digital certificate to use forrecovery.36 |

Endpoint Encryption for Removable Media (EERM)By using the certificate it will be possible to recovery the device without anyinteraction with the Helpdesk. Also, you can do this recovery from a computer withoutthe EEFF client installed.Recovery questionsWhen marking this checkbox, you can enter five questions and answers that will beused in a recovery situation. I.e. you will be able to recover the encrypted device byagain answering the selected questions without any interaction with Helpdesk. Also,you can do this recovery from a computer without the EEFF client installed..Note: It is sufficient for you to answer four out of five questions correct. Four correct answers will allow therecovery to succeed.InitializeWhen you have done all the selections in the initialization dialog, clicking theInitialize button will launch the initialization of the device as per the policy and yourinput.The progress of the initialization is displayed in the progress bar at the bottom of thedialog. It is strongly recommended not to unplug the device during initialization or tocancel the initialization process. This may result in a device in “unknown state”, i.e. itcannot be used on a machine with EEFF installed.Initialization complete and AuthenticationOnce the initialization is complete, an authentication dialog may appear requesting theuser to authenticate to the device. If such a dialog appears, simply fill in theauthentication information and then start working with your device.Note: If there has been a failing initialization operation previously on the system, a message will state that afew files needs to be wiped from the system used during the initialization. Simply click Yes to do thisoperation.Once initialized, the device can be used on any (Windows) machine without requiringany software installation.Note: If the device has entered an “unknown state” as a result of you unplugging the device duringinitialization or canceling the initialization, the device can be formatted from a system without EEFFinstalled, using standard Windows format. After that, the device can again be protected with EERM.A device encrypted with EERM is not protected against re‐formatting from other systems where EEFF is notinstalled. You can re‐format an EERM protected device on such machines, but do remember that such anoperation will erase everything on the device, including all your files. When you again try to use that device| 37

Endpoint Encryption for Removable Media (EERM)on a system with EEFF installed and EERM protection enabled, you will be asked to re‐protect your device.You will then need to enter all recovery information and password(s) again.Working with device – “Onsite”After successful initialization of the device, you may be promoted to authenticate withthe authentication method selected during initialization.If you have forgotten your password or lost your certificate, you can click Recover… .The recovery process is described later in this guide.If you enter a wrong password three consecutive times, the authentication dialog willoffer the option to do a recovery. You may click Yes, in which the recovery dialogstarts, or No in which case you will need to restart the authentication.Once authenticated, you will see the encrypted folder as a drive in the system.Encrypted items will have a padlock on them, as will the drive. Depending on whatpolicy your administrator has set, you can put data either into the encrypted containeronly, or you can select if data shall be placed in the encrypted container or in theplaintext area of the device. The plaintext area is denoted as a folder calledUnprotected Files. If your administrator has decided that the entire device should beencrypted, you will not see the folder called Unprotected Files.It is possible to work with your encrypted device just like with any other removabledrive in Windows, i.e. drag-drop, copy/cut-paste and all other Windows Exploreroperations will work.If a device that is already protected is inserted into a system with EEFF installed, theauthentication dialog will appear automatically and after successful authentication, youwill see the encrypted content as per the above description.Note: Even you see a folder called Unprotected Files, your administrator may have prevented you fromplacing data in that folder when at work. If so, you can only read files from that folder.Working with device – “Offsite”When you insert an EERM protected device on a system without EEFF installed, e.g.your home PC, you will be presented a list of available activities for the device. One ofthe activities will be Show my protected files with the McAfee icon. If you select thisactivity, the EERM authentication will appear prompting you to enter valid information.You can also click Recover… if the password is forgotten or the certificate lost. Therecovery process is described later.38 |

Endpoint Encryption for Removable Media (EERM)If you enter a wrong password three consecutive times, the authentication dialog willoffer the option to do a recovery. You may click Yes, in which the recovery dialogstarts, or No in which case you will need to restart the authentication.If you do not select the Show my protected files activity, you will need to manuallystart the MFEeerm.EXE application that resides on the device in order to access theencrypted folder. This will again launch the authentication dialog.Once authenticated, you will again see the encrypted files on a drive in WindowsExplorer. You can edit the protected files and save the changes with retainedencryption.If there is a plaintext area, the content of this area will be available irrespective of ifyou authenticate or not. The plaintext area will be in the root of the drive.It is possible to work with this drive just like with any other removable drive inWindows, i.e. drag-drop operation within the Windows Explorer operations will work.RecoveryIf you have forgotten the authentication password or lost your authenticationcertificate, the EERM encrypted devices can be recovered, provided you have filled inall the recovery parameters for the enabled recovery option(s).When clicking Recover… in the authentication dialog, a recovery dialog will open upshowing you the recovery options available.There may be multiple recovery methods available for you, but only one can beexecuted (at the time). You can choose whatever recovery method you want amongstthe ones displayed.Note: With the User Questions recovery, it is sufficient to answer four out of five questions correct. Fourcorrect answers will allow the recovery to succeed.When you have entered valid recovery parameters (Challenge/response, Certificate,User questions or Recovery password), an authentication method reset dialog ispresented where you are prompted to select a new authentication method, i.e. a newcertificate or a new password (only one can be selected). Once selected, the recoveryis complete.“Onsite” tray icon menuWhen working with EERM onsite, i.e. from a system where the EEFF client is installed,some EERM options are available on the McAfee EEFF tray icon menu.| 39

Endpoint Encryption for Removable Media (EERM)To access the menu, right-click the McAfee EEFF tray icon. For EEFF, the followingEERM related options are available:Initialize Removable Media...This option allows a manual (re-)initialization of an attached removable device. Thedevice will be initialized as per the EERM settings in the user’s EEFF policy.Recover Removable Media...This option launches a recovery wizard for an attached removable device protected byEERM.Change Removable Media Authentication...This option allows you to change the authentication token for a removable deviceprotected by EERM, e.g. change the password or switch to certificate authentication.Password changeTo change the authentication method (change password or change certificate) when“Onsite”, click the McAfee EEFF tray icon menu and select Change Removable MediaAuthentication…. This will launch a dialog where the authentication method can bechanged.To change the authentication method (change password or change certificate) when“Offsite”, from the EERM Explorer, select Tools from the top menu and then Changepassword. Follow the steps on the screen to complete the authentication methodchange.40 |

IndexIndexChange token for local key, 33Close all keys, 22Create local key, 27, 30Cfolders, 13Endpoint Encryption Recovery, 23Export local key, 29IDecrypt…files, 14folders, 14Delete local key, 28DImport local key, 30Recover local key, 32Rename local key, 31REncrypt…files, 13ESearch encrypted files, 14S| 41