This article is designed to aid administrators and PGP users in understanding Server Client Key Mode (SCKM) in PGP Encryption Server (Symantec Encryption Management Server).

 

Understanding Server Client Key Mode (SCKM) in PGP Encryption Server

Server Client Key Mode (SCKM) synchronizes private encryption keys with PGP Encryption Server while ensuring that signing keys are always retained only by the end user. This mode helps to ensure compliance with local laws and corporate policies in some areas requiring that signing keys must not leave the control of the end user while ensuring that encryption keys are stored in case of emergency.

SCKM keys are generated on the client. Private encryption subkeys will be stored on both the client and PGP Encryption Server, and private signing subkeys will be stored only on the client.

SCKM keys have the following characteristics:
 

1. SCKM allows for separate signing and encryption subkeys, comparable to X.509 signing and encryption keys.
    
2. The public and private encryption subkey is on the server, but encryption is not performed on the server.
    
3. The public-only signing subkey is on the server.
    
4. Mail processing must take place on the client side in order to use the SCKM signing subkey. If you want to use PGP Universal Gateway Email with SCKM keys, you must be using PGP Encryption Server 2.5/2.6. PGP Universal Gateway Email allows email encryption and decryption with SCKM keys, but email will not be signed.
    
5. SCKM is compatible with smartcards, but encryption keys will not be generated on the token. Copy the keys onto the token after generation.
    
6. If an SCKM user resets their key, the entire SCKM key is revoked, including all subkeys, and remains on the PGP Encryption Server as a non-primary key for the user. This non-primary key can still be used for decryption, and will remain on the PGP Encryption Server until manually removed by the administrator.
    
7. SCKM is not supported by legacy PGP Desktop installations before version 9.0.
    
8. PGP NetShare supports SCKM; it requires that users control their own keys.
   
   

Choosing a Key Mode 

1. Server Key Mode (SKM) - The PGP Encryption Server will generate and manage user keys.
   
    
2. Client Key Mode (CKM) - Users use PGP client software to generate and manage their own keys.
   
    
3. Guarded Key Mode (GKM) - Users will be able to generate and manage their own keys, and store their passphrase-protected private keys on the server.
   
    
4. Server Client Key Mode (SCKM) - Keys are generated on the client. Private encryption subkeys will be stored on both the client and PGP Encryption Server, and private signing subkeys will be stored only on the client.

Which key management option you choose depends on what your users need and which PGP client application they use. Server Key Mode is generally appropriate for PGP Universal Satellite users. Client Key Mode is more appropriate for PGP Desktop users. If your security policy requires that a users signing key is only in the possession of the user, but the users encryption key must be archived, SCKM is the correct choice.

If you want to use both PGP Encryption Desktop and PGP Gateway Email, your users will need SCKM keys.

Both public and private keys are stored on the PGP Encryption Server, and the private key is only temporarily sent to the client application for message signing and decryption. SKM is not as secure as CKM because the private keys are not under individual management. Separate signing subkeys are not available to SKM users.