To recover a device, the Emergency Recovery application (see Emergency Recovery Disks) requires an emergency recovery information (ERI) file that is specific to the device. The following sections explain what ERI files contain, how they are created, and where they are stored:
An ERI file contains the encryption keys for the device’s encrypted volumes. The encryption keys provide information about which volumes are encrypted and the encryption algorithm and key length used on the volumes.
The Full Disk Encryption Agent generates an ERI file any time it applies new encryption settings to the device. The following are triggers for creating a new ERI file:
A volume is encrypted or decrypted
The encryption algorithm is changed
The encryption key length is changed
The Disk Encryption policy also includes an option to enable users to manually generate ERI files through the Full Disk Encryption Agent.
An ERI file is protected by a password that the Full Disk Encryption Agent generates randomly if it initiates the ERI file. If a user initiates the ERI file, the user is prompted to supply a password.
When the Full Disk Encryption Agent creates an ERI file, it stores the file in the following locations:
A cache on the ZENworks partition.
The ZENworks Primary Server. If the agent cannot immediately contact the ZENworks Primary Server, it retries the upload at 5 minute intervals until successful.
A location specified by the user, if the user initiated the creation of the file. To be useful in an emergency recovery situation, the user should save the file to a removable storage device such as a USB device.
You should use a device’s newest ERI file when recovering the device. This ensures that all encryption information required to access or decrypt the device’s drives is correct for the current state of the drives. If necessary, you can use an older ERI, but depending on the changes since the ERI was generated, you might not be able to access or decrypt drives.
The cache always contains a device’s newest ERI file. If the file has also been uploaded to the ZENworks Primary Server, you can use ZENworks Control Center to view the file’s password. When you use the Emergency Recovery application, you can load the file from the device’s cache and then enter the password.
ZENworks Control Center contains all of a device’s ERI files, including the newest ERI file unless the Full Disk Encryption Agent has not been able to connect and upload the file. You can download the newest ERI file and include it on the emergency recovery disk (ERD) along with the Emergency Recovery application, or you can download it and include it on a removable storage device (such as a USB device).