Home About MLIT Contact MLIT Site Map
Getting StartedGetting Services by Topic or Alphabetically Getting Help
Quick Links

McAfee Endpoint Encryption

1 Frequently Asked Questions 1

Q. Why encrypt?

A. Encryption makes information unintelligible. Full disk encryption (which USDA and, therefore, ARS are implementing) makes it impossible to inadvertently store information in an unencrypted state.  If you have a password on your unencrypted laptop and it is stolen, the most that a thief has to do to compromise your information is remove the hard drive and install it in another computer.  With encryption, information cannot be compromised.

Q. Do I have to encrypt my laptop with McAfee Endpoint Encryption (MEE)?

A. Yes, all laptops that are used must be encrypted.  Once your mobile PC has been encrypted, you will enjoy the peace of mind that comes from confidence that your information will not be compromised in the event of loss or theft.   Please note:  if your laptop is used exclusively for scientific equipment (and, is never removed from the building), you may obtain a waiver.

Q. What policies cover the use of encryption on our laptops?

A.  The relevant policies that cover the use of encryption are:
Office of Management and Budget (OMB) Memorandum 06-16 (M-06-16), Protection of Sensitive Agency Information (www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf)
Memo from David M. Combs, et al., USDA Chief Information Officer, June 14, 2007, subject:  Data Encryption and Dual Factor Authentication (www.ocio.usda.gov/directives/doc/Data_Encryption_and_Dual_Factor_Authentication-06-15-2007.pdf)

Q. Are there any risks involved with encryption?

A. The risks are minimal but cannot be completely disregarded. 

  • Currently, we are recommending that the following not be encrypted:
    •  laptops with solid state drives
    • The following have been reported as having some issues:
      • IBM Lenovo’s have had some issues
      • Dell Latitude D6xx
      • Gateway E-100
    • Prior to encrypting the laptop, we will perform the following:
      • Upgrade the system BIOS
      • Run Windows and Symantec updates (and, others such as MS Office, if needed)
      • Backup the laptop
      • Run CHKDSK

Q. How do I get McAfee Endpoint Encryption installed on my laptop?

A. Please contact your local ARS IT Staff.

Q. Will McAfee Endpoint Encryption change the way I use my laptop?

A. You will notice some slight differences in the login screens.  ARS laptops have been password-protected for quite some time; however, MEE installs a pre-boot (pre-Windows) login that is required to unlock the hard drive. You will be prompted to login to the pre-boot screen anytime you reboot your laptop. The login screen for MEE looks different than the Windows login that you are probably used to seeing.  An example of the screen is shown below; however, you will see the USDA logo in the background.

Q. What happens if I forget my password?

A. Contact MLIT for assistance.

Q. I changed my ARS network password and now I can't login to my laptop.

A.  Even though your MEE ID is in the same format as your ARSNet ID, these are two different IDs and will not synchronize unless you manually change them at the same time.

Q. Does McAfee Endpoint Encryption have any effect on my Windows applications?

A. No, MEE’s encryption is transparent to the Windows operating system.

Q. How does McAfee Endpoint Encryption work?

A.  The McAfee Endpoint Encryption tool encrypts data at rest.  Once the computer is up and running, the drive is no longer encrypted, for all intents and purposes. 

Q. Do you have to be on the ARS network for the encryption to work?

A. No. The McAfee Endpoint Encryption (MEE) server has a public IP address.

Q.  We backup our local drives.  Will this impact our backups?

A. Any Windows-based tools that backup, read, and manipulate files will work just fine after encryption; files themselves are moved/copied/transferred in an unencrypted state. 
However, any Windows-based tools that manipulate disk blocks or sectors should NOT be used, since the sectors themselves are encrypted when they’re stored on the drive, and the encryption tool is responsible for managing the drive at the block/sector level.

Q. Will McAfee Endpoint Encryption affect my laptop's performance?

A. MEE will have a very small impact on your laptop performance when writing files.  One of the primary reasons why MEE was selected was its low impact on performance compared to other encryption packages.   Laptops greater than 3 years old and not running Windows XP will likely see the greatest impact on performance. 

Q. Does McAfee Endpoint Encryption work on a Macintosh laptop?

A. McAfee currently does not have a version of the MEE encryption software that can be installed on Apple laptops. 

Q. Does McAfee Endpoint Encryption encrypt network drives or USB thumb drives?

A. No, MEE only encrypts the local hard drives contained within your laptop. 

Q. Can I re-partition my laptop or have multiple boot partitions?

A. We do not recommend encrypting multiple boot machines at this time.

Q. Is it possible to "re-image" a laptop when it has McAfee Endpoint Encryption installed?

A. Yes, we can remove MEE in cases where it is necessary to do so for troubleshooting purposes.  Formatting or re-imaging a laptop will remove MEE as well as the encrypted data that was on the hard drive. 

Q. Can you encrypt my PDA, SmartPhone or other mobile device?

A. At this time we are not encrypting PDAs and SmartPhones.

Q:  I have several laptops that are shared and each individual has a separate Windows log in.  Once encrypted, will the user – whichever one it may be, simply log into MEE with their credentials and then proceed to their Windows ID? (They are in the same user group).

A:  Each user has his or her own encryption credentials which would be used to decrypt the device’s hard drive and boot the device.  Once the device has completed the boot process, each user would use his or her own Windows credentials to then access the Windows environment on that device.

Q:  Does the password policy include aging?  What are the complexity and length requirements?
When the encryption process started, it began by creating a large number of users for the machine, none of whom were recognizable names to me.  Who are they?  Why does my laptop need these “accounts”?  Do they have access to my laptop?  

A:  The password policy does indeed include aging.  Your encryption password expires every 90 days, and the system will remember the last 24 passwords you used.  The minimum password length is 10 characters, which must include at least one letter and one number.
The large number of user names associated with your laptop is a functional limitation inherent in the way that USDA set up the encryption servers to function.  We were required to set up user groups that contained hundreds of users.   “ARS PWA MACHINE GROUP 1” is mapped to “ARS PWA USER GROUP 1”, which contains about 400 or so users.  “ARS PWA MACHINE GROUP 2” is mapped to “ARS PWA USER GROUP 2”, which contains 400 or so users, and so on for each ARS group.  Further, each machine in “ARS PWA MACHINE GROUP 1” gets all users from “ARS PWA USER GROUP 1” added to its user database, and the same for machine group 2, etc.  All users in the same user group as you, would technically be able to decrypt the laptop and get it to boot up; however, none of those other users would be able to access the Windows environment on your laptop, unless you had explicitly given them access.

Q. Who should I contact if I have additional questions about McAfee Endpoint Encryption?

A. Please contact your local IT staff for additional questions.




Home | Software | Security | Support
Ask a technology question or send a comment about this web page.