This article is designed to aid administrators and PGP users in understanding the new Server Client Key Mode (SCKM) in PGP Universal Server.

 

Understanding the new Server Client Key Mode (SCKM) in PGP Universal Server

Server Client Key Mode (SCKM) synchronizes private encryption keys with PGP Universal Server while ensuring that signing keys are always retained only by the end user. This mode helps to ensure compliance with local laws and corporate policies in some areas requiring that signing keys must not leave the control of the end user while ensuring that encryption keys are stored in case of emergency.

SCKM keys are generated on the client. Private encryption subkeys will be stored on both the client and PGP Universal Server, and private signing subkeys will be stored only on the client.

SCKM keys have the following characteristics:

 

1. SCKM allows for separate signing and encryption subkeys, comparable to X.509 signing and encryption keys.
   
    
2. The public and private encryption subkey is on the server, but encryption is not performed on the server.
   
    
3. The public-only signing subkey is on the server.
   
    
4. Mail processing must take place on the client side in order to use the SCKM signing subkey. If you want to use PGP Universal Gateway Email with SCKM keys, you must be using PGP Universal Server 2.5/2.6. PGP Universal Gateway Email allows email encryption and decryption with SCKM keys, but email will not be signed.
   
    
5. SCKM is compatible with smartcards, but encryption keys will not be generated on the token. Copy the keys onto the token after generation.
   
    
6. If an SCKM user resets their key, the entire SCKM key is revoked, including all subkeys, and remains on the PGP Universal Server as a non-primary key for the user. This non-primary key can still be used for decryption, and will remain on the PGP Universal Server until manually removed by the administrator.
   
    
7. SCKM is not supported by legacy PGP Desktop installations before version 9.0.
   
    
8. PGP NetShare supports SCKM; it requires that users control their own keys.

Choosing a Key Mode

When you create PGP Universal Satellite and PGP Desktop installers, you can choose whether you want internal and external users to be able to manage their own keys, or whether keys should be managed by the PGP Universal Server.

The Key Modes available in Universal Server 2.5/2.6 are:

 

1. Server Key Mode (SKM) - The PGP Universal Server will generate and manage user keys.
   
    
2. Client Key Mode (CKM) - Users use PGP client software to generate and manage their own keys.
   
    
3. Guarded Key Mode (GKM) - Users will be able to generate and manage their own keys, and store their passphrase-protected private keys on the server.
   
    
4. Server Client Key Mode (SCKM) - Keys are generated on the client. Private encryption subkeys will be stored on both the client and PGP Universal Server, and private signing subkeys will be stored only on the client.

Which key management option you choose depends on what your users need and which PGP client application they use. Server Key Mode is generally appropriate for PGP Universal Satellite users. Client Key Mode is more appropriate for PGP Desktop users. If your security policy requires that a users signing key is only in the possession of the user, but the users encryption key must be archived, SCKM is the correct choice.

If you want to use both PGP Desktop and PGP Universal Gateway Email, your users will need SCKM keys.

If your users only require support for messaging, PGP Universal Satellite and SKM are sufficient. Both public and private keys are stored on the PGP Universal Server, and the private key is only temporarily sent to the client application for message signing and decryption. SKM is not as secure as CKM because the private keys are not under individual management. Separate signing subkeys are not available to SKM users.

PGP Desktop has more features than PGP Universal Satellite, and those features require client-controlled keys. For example, to use the PGP Whole Disk Encryption option with a hardware token in PGP Desktop, users must be able to generate and manage the key stored on the Whole Disk token. If you want a PGP Virtual Disk to be created automatically at installation, that also requires CKM. PGP Netshare is also unavailable to SKM users.