When communication with the PGP Server is lost, certain functionality with the PGP Desktop software is lost. This article describes expected behavior when various PGP Desktop clients cannot communicate with the PGP Server.

PGP Desktop Email 

PGP Desktop Email synchronizes with the PGP Server mail policies, even if the PGP Server is not processing email, the server acts as the policy server for email encryption and communicates to the PGP Desktop Email client how to encrypt email.

If the PGP Desktop Email client is unable to communicate with the PGP Server for policy, the PGP Messaging logs will display the following error:

The error indicates PGP Desktop Email could not communicate with the Symantec Encryption Management Server for policy (keys.acme.com is the Management Server in this example):

11:28:28Error Unable to establish SOAP communication with keys.acme.com
11:28:28 Info Processing outgoing message from User1 with subject: PGP TEST
11:28:28 Warning Server keys.acme.com not responding; will wait 15 minute(s) before trying again

At this point, the PGP Desktop service counts down from 15 minutes before re-attempting to contact the PGP Server for policy, this avoids constant traffic from SED Desktop Email to the PGP Server while the PGP Server is unavailable.

If attempting to resend the message within the 15 minute countdown timeframe, the PGP error will be displayed again and the messaging logs will display the remaining minutes before contacting the PGP  Server again for policy:

11:42:04 Info Processing outgoing message from User1 with subject: PGP TEST
11:42:04 Warning Server keys.acme.com not responding; will wait 2 minute(s) before trying again

If attempting to resend and the PGP Server is still unavailable, the messages will not be sent. The messages can be saved in Drafts and then re-sent once the PGP Server is up and running at which time all the messages will send properly after the 15 minute count down has been reached:

12:31:33 Info Processing outgoing message from User1 with subject: PGP TEST
12:31:33 Info SDK Notification: other
12:31:33 Info SDK Notification: other
12:31:34 Info Successfully synchronized policy with keys.example.com
12:31:35 Info Encrypting PGP Partitioned message to [email protected] with key(s):
12:31:35 Info 'User1 ' (0x360E9B55)
12:31:35 Info Signing PGP Partitioned message with key 'User1 ' (0x360E9B55)

In addition to the above, "Default: Standalone" policies can be invoked to allow email encryption in some cases.  To see how you have these policies configured, see the following screenshot for the PGP Server:

Also, consult the Consumer Policy in question to see what the PGP Desktop client is configured to do in the event that it goes "Offline":

(In the SEMS console, Consumers > Policy, then Desktop Settings, then Messaging)

As you can see above, there are several policies that can kick in, including the ability to Block messages, which is the most secure way to do encryption if the PGP server is not available.  This will mean that sending encrypted content will not be possible until the PGP Server is brought back online. 

PGP Drive Encryption

If PGP Whole Disk is the only feature being used and the PGP Server is unavailable, the PGP Whole Disk client will not be able to retrieve policy as expected. Any keys that need to be obtained from the PGP Server for file encryption will also not be available.

PGP Whole Disk Recovery Tokens (WDRTs) will still work if needed, however once the end-user enters the WDRT at SED Bootguard (PGP passphrase prompt during bootup), a new WDRT will not be generated and an error will be displayed.

"A new Whole Disk Recovery Token could not be generated because the Administrative Server is not available"

The WDRT will still work until the PGP Whole Disk client is able to contact the PGP Server. Once the PGP Server is available, a new PGP Whole Disk passphrase can be created and a new WDRT will then be synchronized with the PGP Server.

PGP File Share Encryption

If PGP File Share Encryption is the only functionality being used, the ability to add users to a network share/folder using LDAP Groups is unavailable. Any keys that need to be obtained from the PGP Server for file encryption will also be unavailable.

If shares have been encrypted to Group Keys, these shares will not be accessible while the PGP Server is offline, so  bringing the server back online as soon as possible is critical.

All PGP File Share Encryption authentication will work as normal if "local" or "user" keys are being used and access to PGP File Share encrypted folders will be the same as if online. PGP File Share functionality will still work as long as the public keys are available from the PGP Desktop local keyrings.