This article is designed to aid administrators and PGP users in understanding the new Server Client Key Mode (SCKM) in PGP Universal Server.
Note: SCKM key mode is available in PGP Universal Server 2.5 and above. |
Understanding the new Server Client Key Mode (SCKM) in PGP Universal Server
Server Client Key Mode (SCKM) synchronizes private encryption keys with PGP Universal Server while ensuring that signing keys are always retained only by the end user. This mode helps to ensure compliance with local laws and corporate policies in some areas requiring that signing keys must not leave the control of the end user while ensuring that encryption keys are stored in case of emergency.
SCKM keys are generated on the client. Private encryption subkeys will be stored on both the client and PGP Universal Server, and private signing subkeys will be stored only on the client.
SCKM keys have the following characteristics:
Choosing a Key Mode
When you create PGP Universal Satellite and PGP Desktop installers, you can choose whether you want internal and external users to be able to manage their own keys, or whether keys should be managed by the PGP Universal Server.
The Key Modes available in Universal Server 2.5/2.6 are:
Which key management option you choose depends on what your users need and which PGP client application they use. Server Key Mode is generally appropriate for PGP Universal Satellite users. Client Key Mode is more appropriate for PGP Desktop users. If your security policy requires that a users signing key is only in the possession of the user, but the users encryption key must be archived, SCKM is the correct choice.
If you want to use both PGP Desktop and PGP Universal Gateway Email, your users will need SCKM keys.
If your users only require support for messaging, PGP Universal Satellite and SKM are sufficient. Both public and private keys are stored on the PGP Universal Server, and the private key is only temporarily sent to the client application for message signing and decryption. SKM is not as secure as CKM because the private keys are not under individual management. Separate signing subkeys are not available to SKM users.
PGP Desktop has more features than PGP Universal Satellite, and those features require client-controlled keys. For example, to use the PGP Whole Disk Encryption option with a hardware token in PGP Desktop, users must be able to generate and manage the key stored on the Whole Disk token. If you want a PGP Virtual Disk to be created automatically at installation, that also requires CKM. PGP Netshare is also unavailable to SKM users.