PGP Encryption Server Benefits and Considerations for upgrading (Symantec Encryption Management Server)
search cancel

PGP Encryption Server Benefits and Considerations for upgrading (Symantec Encryption Management Server)

book

Article ID: 150915

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Encryption Suite

Issue/Introduction

This article goes over the benefits and considerations when reviewing the upgrade from previous versions of PGP Encryption Server (Symantec Encryption Management Server). 

Broadcom recommends upgrading to the latest version of PGP Encryption Server for best security.

An important consideration to upgrade to PGP Encryption Server 10.5.1 MP2 or PGP Encryption Server version 11 (the latest release) is that all legacy versions of the legacy PGP Server version 3.4.2 and older have now entered an EOS phase.  To continue to receive support for your Encryption products, upgrade to the latest versions of the PGP Encryption software that you can accommodate.

Broadcom will support only the version 10.5.0 and above going forward, and this is where all improvements will be included in.

TIP: For information on how to carry out upgrades and other technical considerations see the following article:

211876 - Technical considerations when upgrading Encryption Management Server to release 10.5

Resolution

Improvements made in PGP Encryption Server 11.0.1:

  • Enhanced Setup Assistant for "net-new" installations. 
    This includes backup and restore operations and the ability to migrate to a new IP address (In non-clustered environments).
  • Improved License Management making it easier to manage how many seats are being utilized. 
    Drive Encryption will now decrypt the system after 90 days if no license number has been entered.
    Enrollment will be restricted if no license number is entered within 90 days.
    Gateway Email Encryption will allow only viewing of emails. 

  • Ability to customize the email address in the PGP Admin web portal sent for Web Email Protection invitations.
  • Alerts for internal users about key expiration.
  • Removed Support for TLS 1.0 and TLS 1.1 (PGP Encryption Server 11.0.1 had TLS 1.0/1.1 disabled by default but could be enabled if needed).
    Reach out to Symantec Encryption Support for further guidance on this. 

 

Improvements made in PGP Encryption Server 11.0.0 GA:

  • AD Integration for PGP Administrators.
    171746 - PGP Administrator Password Complexity Enforcement via Directory Authentication for PGP Encryption Server

  • New Web Console with intuitive design (can be viewed with https://keys.example.com/smc).
  • Improved reporting with predefined system reports to help identify many aspects of the server management.
  • Dashboard with many tools for Drive Encryption, Keys and other statistics of the Encryption Server.
  • SMS and 2FA Improvements for Web Email Protection are now included.
  • Managed license for better compliance health.
  • New REST API for integration with Entrust Certificate Automation.
  • Various UI improvements.
  • PGP Encryption Server appliance now runs on Debian 11.
  • TLS 1.3 is supported for general TLS communications when applicable (PGP client still runs on TLS 1.2). 
  • TLS 1.0/1.1 are no longer available.  Any PGP clients that are 10.3.x or older must be upgraded to newer versions to communicate. 

Symantec Encryption recommends staying on top of the updates for best security.  For a detailed list of all additions, see the Release Notes.

 

Improvements made in PGP Encryption Server 10.5:

  • PGP Encryption Server 10.5 runs on CentOS 7, which is a 64-bit platform with many improvements.
  • PGP Server can now be assigned more than 16GBs of memory/RAM (Older versions maxed out at 16GBs - PGP 10.5 has no limitations). 
    Database resources dynamically allocated for best performance. This is a big improvement for busier/larger deployments of SEMS.
  • All PGP binaries have been recompiled for 64-bit with faster performance overall.
  • Backup speeds improved significantly.
  • Now supports UEFI architecture.
  • VMware tools now automatically installed natively.

Note on versioning: In order to improve clarity between server and client related to versioning, PGP now shares the same version as the SED client (Version 10.5 and above).  Both PGP client and Server can be referred to as the same version. Previously, PGP 3.4.2 Server was on a 3.x naming convention and the PGP Client was on a 10.x naming convention.  Now both server and client are referred to as version 10.5 and beyond).

 

As mentioned above, PGP Encryption Server has used TLS 1.0/1.1 for some features and backward compatibility for Symantec Encryption Desktop client versions 10.3.x and older or Symantec PGP Viewer application for Android devices.

DLP Data Insight integration users PGP Encryption Server and TLS 1.0 must be enabled for this feature to work.  For assistance on this, please contact Symantec Encryption Support.

PGP Encryption Server 3.4 and PGP Encryption Desktop client 10.4 and above use TLS 1.2 as the default communications protocol.  TLS 1.0 is still enabled on these newer versions of the software in order to support older client communications.  PGP Encryption Server 3.4.2 MP1 will be the last version to have TLS 1.0 enabled by default.

Starting with PGP Encryption Server 3.4.2 MP2 and continuing with PGP Client 10.5, TLS 1.0 will be disabled by default, and TLS 1.2 will be the only protocol available for secure communications (PGP version 11 uses TLS 1.2 by default and other TLS operations can use TLS 1.3). 

It is still possible to configure the PGP Encryption server to use TLS 1.0/1.1 for backward compatibility for the PGP Encryption Desktop 10.3.x client or Android devices, and some other features .  See below for the considerations as this applies to the PGP 3.4.2 MP2 and newer during upgrades.

PGP 10.5 will still support PGP 10.3.2 clients, however, 10.3.2 is no longer supported and reached End of Service July 31st, 2020.  At this point, you do want to move on to the newer version that is currently supported. 

 

 

The following is a historical reference to versions of PGP highlighting some of the improvements available for each version:

  • PGP Encryption Server version 3.3.2 used TLS 1.0 for its communications. When PGP 3.4.0 was released, TLS 1.2 was available for improved security, however, TLS 1.0/1.1 was still enabled by default for backward compatibility.
    Important Note: TLS 1.0/1.1 protocols included many weak ciphers such as RC4/ARC4/arcfour/arcfour128/arcfour256 and so it is recommended customers upgrade to the latest branch to ensure weak ciphers are not included and not used.  See below note for current release of PGP Encryption Servers. 
    In addition to weak ciphers, PGP 3.4.x runs on CentOS 6, which the CentOS Project has now designated as EOL so no further Linux security updates will be included.  PGP Encryption Server 10.5 runs on CentOS 7, which is fully supported by the CentOS Project.
  • When PGP Encryption Server 3.4.2 MP2 was released, TLS 1.2 was enabled, and TLS 1.0/1.1 was disabled by default for increased security (see below for information on TLS).  
  • The last version of the PGP 3.4.2 branch was MP5, which had a corresponding Symantec Encryption Desktop (SED) client version of 10.4.2 MP5. The next version after 3.4.2 MP5 was PGP 10.5 GA.
    Note: For a list of current versions of Symantec Encryption Products, see article 156303.

 


Considerations before upgrading to Symantec Encryption Management Server 3.4.2 MP2 and newer:

Tip: For the current version of PGP, see article 156303.

  • Legacy TLS 1.0/1.1 for communications, such as LDAPS for enrollment, or TLS email encryption
    If legacy systems require the use of TLS 1.0/1.1 for communications with SEMS, these will need to be enabled once the upgrade has completed.
     
  • Web Email Protection Complete Customization templates
    If the Complete Customization is being used for WEP, before migrating to 3.4.2 MP2, first save the customization template, then remove the existing customization, upgrade the server and rebuild complete customization once the upgrade has completed.  This is due to a new CAPTCHA feature included.
     
  • SEMS Proxy Configuration adjustments may be needed
    SEMS 3.4.2 MP2 will set the mail proxy configuration to STARTTLS attempt by default.  Make note of what settings you require in your own environment prior to upgrading to SEMS 3.4.2 MP2 to make the proper adjustments post upgrade.
  • Symantec Encryption Desktop 10.3.x and older
    These older versions used TLS 1.0 for communication to the SEMS and must be updated to 10.4 before it will communicate on TLS 1.2. If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
  • Certificate enrollment with TLS 1.2
    If certificate enrollment is being used for enrollment, TLS 1.0/1.1 is still required.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
     
  • SEE Management Server and Whole Disk Recovery Token Retrieval
    If a SEE Management Server is being used to retrieve Whole Disk Recovery tokens from SEMS 3.4.2 MP2, TLS 1.0/1.1 must still be enabled.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.
     
  • Symantec PGP Viewer for Android uses TLS 1.0 for communications.  If this is still needed, please contact support to re-enable TLS 1.0/1.1 manually.

 

With new versions of Symantec Encryption Management Server, older versions reach the End of Service phase, which means the version is no longer supported, and we recommend upgrading to the new version that is currently supported.  For a listing of all Encryption products and their End of Service dates, see article 152880.

 

Additional Information

211876 - Technical considerations when upgrading Encryption Management Server to release 10.5

150915 - PGP Encryption Server Benefits and Considerations for upgrading to version 10.5

180196 - HOW TO: Backup the Organization Key on the PGP Encryption Server (Symantec Encryption Management Server)

193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

157080 - Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)

180249 - HOW TO: Configure the Backup Location and schedule for the PGP Encryption Server (Symantec Encryption Management Server)

153588 - Restore Backup files to the PGP Encryption Server (Symantec Encryption Management Server)

180749 - Upgrading PGP Encryption Server using a *.pup file (Symantec Encryption Management Server)

153318 - Restoring Encryption Management Server Backups larger than 2GB

197045 - Custom scripts are moved when upgrading to Encryption Management Server 10.5