The Full Disk Encryption Agent generates an ERI file any time it applies new encryption settings to the device. The following are triggers for creating a new ERI file:
A volume is encrypted or decrypted
The encryption algorithm is changed
The encryption key length is changed
The Disk Encryption policy also includes an option to enable users to manually generate ERI files through the Full Disk Encryption Agent.
An ERI file is protected by a password that the Full Disk Encryption Agent generates randomly if it initiates the ERI file. If a user initiates the ERI file, the user is prompted to supply a password.