4.2 Creating an Emergency Recovery Information File

If a situation occurs where a user cannot access the encrypted volumes on a device, you might need to perform an emergency recovery of the device. This requires an Emergency Recovery Information (ERI) file for the device.

An ERI file is a password-protected file that contains the encryption keys for the encrypted volumes of the device’s hard disk. The file is the only way to get in to the device in an emergency.

By default, whenever the ZENworks Full Disk Encryption Agent changes the encryption settings (volumes, algorithm, and so forth) for the hard disk, an ERI file is created and sent to the ZENworks server to be stored on your network.

If a user infrequently connects to the network, or if you simply want to ensure that the user has a personal backup copy of the ERI file, you or the user can manually create an ERI file and store it in a secure location other than the device’s local hard disk. For example, a removable storage device such as a USB drive could be used.

To create an ERI file:

  1. Open the Full Disk Encryption agent on the managed device. See Accessing the Full Disk Encryption Agent.

  2. Click the Create ERI File button if it is available.

    or

    If the Create ERI File button is not available, click Commands, specify the password to display the Commands dialog box, then click the Create ERI button.

    The Create ERI File button is only available in the About dialog box if the feature has been enabled in the Disk Encryption policy applied to the device. However, the Create ERI button is always available in the Commands dialog box. To access the Commands dialog box, you must know the FDE Admin password for the policy assigned to the device, or you must know the ZENworks Agent override password or key. For more information about passwords, see Section B.0, Administrator Passwords.

  3. When you are prompted to assign a password to the ERI file that will be generated, specify a password, then click OK.

    If a strong password is required, it must include at least one uppercase letter, one lowercase letter, one number, and one special character. Special characters are:

    ~ ! @ # $ % ^ & * ( ) _ + { } [ ] : ; < > ? , . / \ - = | "

    Make sure the password is one that you can remember. The password is required to use the ERI file for an emergency recovery.

    The Full Disk Encryption Agent creates a computer-name_yyyy_mmdd_hhmm.eri file on your desktop (for example, computer1_2011_1208_1435). If you are connected to the ZENworks server on your network, it is also sent to the server.

  4. Copy the ERI file to a secure location that is still accessible when the device is not.