Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)
search cancel

Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)

book

Article ID: 153245

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Gateway Email Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

Symantec Encryption products use a licensing system to enable product functionality for purchased products.

This article outlines the licensing concepts and explores licensing scenarios to help clarify if you are using licensing in the way your "paper license" outlines.

 

Note: Symantec Encryption functionality may be fully or partially disabled until a valid license number is entered.
Once a license expires, multiple actions can happen so it is important to ensure each product has been licensed properly.

Symantec Enterprise Division reserves the right to audit systems for licensing compliance as per the End User License Agreement.


The process of entering a license number into Symantec Encryption software is called License Authorization and enables one or more seats (or users) of Symantec Encryption software.

Most Symantec Encryption Products use a license .SLF file, which contain XML data specific for only your account.

Some older encryption products may use the old license format similar to the following License Number:
DWDK0-ABCD-12345-ABC12-ABCDE-123

This article will provide information on how each product is licensed. 

For information on how to download Symantec Encryption products and other related topics, see the following articles:

193931 - Downloading Symantec Encryption products from the Broadcom download Portal (Getting Started)
206503 - Finding your license number for Symantec Encryption products (PGP and SEE)


PGP
175951 - Enter your License information for PGP Encryption Server (Symantec Encryption Management Server)

SEE
276507 - Entering your License information for Symantec Endpoint Encryption version 12 and above

PGP Command Line
180234 - Entering your license information for PGP Command Line

PGP Encryption Desktop
180213 - Entering your License information for PGP Encryption Desktop (Symantec Encryption Desktop)

 

Resolution

 

Section 1 - Symantec Endpoint Encryption (SEE)

SKU Includes all of the following products:
*Symantec Endpoint Encryption Management Server (SEE MS)
*Symantec Endpoint Encryption Drive Encryption (SEE Drive Encryption)
*Symantec Endpoint Encryption Removable Media Encryption (SEE RME)

Symantec Endpoint Encryption Management Server can be installed on as many systems as is needed without additional licensing.

The SEE Management Server manages systems encrypted with Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption.

Symantec Endpoint Encryption license meter is per device such as the number of laptops or desktops to be covered.

Example 1: If SEE Drive Encryption is installed on 1000 systems, then a license for 1000 seats would be needed and your license .SLF file needs to accommodate this.

Example 2: If an additional 1000 seats was installed with SEE RME, then another 1000 seats would be needed for a total of 2000 seats needed (An additional SLF file will be issued to accommodate this).

Symantec Endpoint Encryption products use a license .SLF file that is easy to upload and manage via the web portal.
For more information on entering your license number for SEE, check out the following article:

276507 - Entering your License information for Symantec Endpoint Encryption version 12 and above

 

Section 2 - PGP Encryption Server and PGP Encryption Desktop (Symantec Management Server and Symantec Encryption Desktop Products)

Included with all new purchases for PGP 11.0.1 and above, the PGP Encryption Suite now includes all of the following functionality:

*PGP Email Encryption
*PGP File Share Encryption
*PGP Drive Encryption/SEE Drive Encryption (You can use either PGP or SEE for Drive Encryption)

All of the above PGP Encryption Desktop features listed are licensed per user, meaning individual users using the PGP Desktop software either on the same system or any profile on the same system.

The exception to this rule is Symantec Drive Encryption, which is licensed per device.

If you have not purchased the PGP Encryption Suite SKU, upon renewal, your SKU will be renewed with this SKU entitling you to all of the Encryption products listed in this section.

Note: If you own the PGP Encryption Suite, and you would like to use SEE, this is also included in your purchase.  Check with your sales representative for more details. 

Example 1: One user on one or more profiles per system must purchase one copy of PGP Encryption Suite.

Example 2: Two users on one or more profiles per system must purchase two copies of PGP Encryption Suite.

Example 3: One user wanting to use PGP Desktop on five different computers must purchase five copies of PGP Encryption Suite.

Example 4: PGP Drive Encryption enables a user to encrypt the entire hard drive of a computer. After the system has been encrypted, the system cannot be booted until a passphrase (password) has been entered. In some cases, this is the only encryption functionality that will be used.

PGP Drive Encryption will allow multiple users to be added to the software to boot a system.  In this scenario, only one license per system\device is required. This applies for Administrators wanting to add themselves to the PGP Drive Encryption software (See the screenshot below to see the Drive Encryption shelf).  If any additional features are used, such as individual file encryption or Virtual Disk, each user taking advantage of these features requires an individual license.

Example 5: Email Decryption only: Symantec Encryption Desktop (SED/PGP Desktop) has the ability to encrypt and decrypt emails.  When the license term ends for Email Encryption, previously encrypted email content can be decrypted with PGP Viewer on an email-by-email basis. 

For example, if Symantec Drive Encryption and Email Encryption was previously purchased, but only Drive Encryption is renewed, you may continue to use the email piece to decrypt emails only.  No further emails can be encrypted with the PGP Desktop client.  Broadcom requires the mail policies be configured such that no future email will be encrypted.   These mail policies may be needed to be modified on the PGP Server (Symantec Encryption Management Server), or as a standalone client.  For help in how to do this, please contact Symantec Encryption Support



Section 3 - PGP Encryption Server (Symantec Encryption Management Server)

A few scenarios exist for licensing with PGP Encryption Server/Symantec Encryption Management Server (SEMS):

1. PGP Encryption Server with PGP Command Line Integration (KMS - Key Management Server)
2. PGP Encryption Server - Gateway Email Deployment

When any PGP Desktop client solution is purchased, the PGP Encryption Server (non-mailflow, non-KMS SKUs) is automatically included to manage the PGP Encryption Desktop clients and licensing.

Example 1 - PGP Encryption Desktop Clients (Managed by the PGP Encryption Server):

The PGP server includes the ability to manage users on the server or centrally manage individual PGP Encryption Desktop clients centrally. 
PGP Server allows Administrators to lock down PGP Desktop policies and manage the licenses.

The central management functionality is a bundled SKU which includes both the client and server functionality.  The amount of seats needing to be purchased depends on the amount of clients needing to be installed.  If 1000 users need to install PGP Encryption Suite, this SKU automatically includes the PGP Encryption Server for client management.

A license .SLF file must be entered to enable features of the PGP Encryption Server.  If you own a PGP client, you will need to upload the client license SLF file to the PGP Encryption Server to use that product.  When additional seats of PGP Encryption Suite are purchased, you will get a new license .SLF that corresponds to the number of seats purchased, and should then be uploaded to the PGP Encryption Server, which will add upon license files already uploaded.

For details on how to enter the license numbers for the PGP client SKUs or the PGP Encryption Server SKUs, see the following article:

175951 - Enter your License information for PGP Encryption Server (Symantec Encryption Management Server)
180213 - Entering your License information for PGP Encryption Desktop (Symantec Encryption Desktop)



Example 2 - PGP Encryption Server for Gateway Email Encryption Only

When the PGP Encryption Server is used to only encrypt email in the mailstream/mailflow, the server is licensed per user.  If 1000 internal users exist on the PGP Server, then 1000 seats must be purchased.

A license .SLF file must be uploaded to enable the Gateway Email Encryption functionality of PGP Encryption Server. 
 

Note on Clustering: PGP Server has the ability to share/replicate information to other PGP Servers--this process is called clustering. In clustering, multiple PGP Servers are used. If you are using the PGP Gateway Email Encryption SKU, then each server is licensed separately. 

If you are managing only clients, then you can have additional clusters and no additional license is needed. If you are using PGP Encryption Server in the gateway placement, a license for each server must be purchased.  There is a technical limitation is 6 nodes regardless of licensing requirements.

 

Example 3 - Web Email Protection or PDF Messenger with a PGP Encryption Server (Gateway Email Encryption Only)

When the PGP Encryption Server is used to encrypt email in the mailstream, the server is licensed per internal user (Not external user).  If 1000 internal users exist on the PGP Server, then 100 seats must be purchased.

Important Note: After September, 2024, all Gateway Email Encryption SKUs purchased, or renewed are now licensed "Per Server".  This means that if you have one PGP Encryption Server in the mailflow, then you have unlimited internal/external users and is licensed solely per server in the mailflow.  

If you want to add a cluster member for redundancy, a second license must be purchased, for a total of two Gateway Email Encryption SKUs being purchased to accommodate two servers in the mailflow.

Web Email Protection or PDF Messenger are features that allow an internal user to send sensitive data to an external user in a secure method without the need to install any encryption software. Even if the recipient does not use a PGP Key or certificate, WEP and PDF Messenger can be used to accommodate this scenario.

This functionality is quite convenient to be able to send sensitive data, such as invoices to an external recipient where confidential data must be transmitted.
WEP and PDF Messenger are provided to external users in an "Unlimited" basis at the time of this writing.

The unlimited term means that any valid internal user can send to any number of external users via Web Email Protection or PDF Messenger without any regard for how many external users there may be. This offers exceptional value to the ability to send encrypted content.

 

Section 4 - PGP Command Line 


Production Machines VS Non-Production Machines
Symantec PGP Command Line is licensed per physical Machine.

It used to be licensed per CPUs, but this is no longer the case as of September 2024. 

Each copy of PGP Command Line purchased entitles you to install on one production machine (that handles all your encryption/decryption for your business on a day-to-day basis) and one non-production machine (that is used to develop scripts for testing, but never handles production data for encryption/decryption).

This means if one license is purchased for PGP Command Line, it may be installed on the production box that is handling all encryption/decryption processes and another system that is not handling production encryption/decryption.

The non-production box is to be used with testing only.  If you need a failover box, this is technically a production scenario and needs another license. 

If you have 1-Production Server (handling active data), and 1-Production Server (that is on Standby for redundancy), and 1-non-production server (to develop scripts and testing), this would require 2 licenses of PGP Command Line.

Then you would have the ability to install on 2 Production servers and 2 Non-production servers. 

Examples of the old legacy licensing system:
Example 1: If a computer has one or two physical processors, a 2-CPU license is required.

Example 2: If a computer has up to four processors, a 4-CPU license is required, and so on.

Example 3: If a 1-CPU processor has 4 cores, then a 4-CPU license would be needed. 

Example 4: If a system has 4 CPUs, and 4 cores each, then a 16-CPU license would be needed.

 

 

Section 5 - Licensing for Terminal Server or Citrix Environments

Various PGP Encryption Desktop (Symantec Encryption Desktop) functionality can be used in Terminal Server or Citrix Server environments.  In Terminal or Citrix Server environments, the applications are installed on the server itself and any users logged into this server can access the application installed.  Due to the nature of these environments, PGP Desktop is managed quite differently than in normal environments. The Encryption software is licensed per-user on the Terminal or Citrix Server and not by how many users are using the Symantec Encryption Desktop.

Example: PGP Desktop is installed on a Terminal Server that has 100 users; however 25 users are currently using Symantec Encryption Desktop. In this scenario, 100 copies must be purchased, because all users on the server have the ability to use the Encryption software, whether it is used or not, so this is for "Potential Use". 

The only exception to this, in Citrix environments, is a technical restriction that has been enforced on the Citrix Server. In other words, only those users who are licensed to use PGP Desktop have the ability to use any encryption functionality. To enforce a technical restriction in a Citrix environment, NTFS Permissions should be modified on the Citrix Server to remove Execute access for the Program Files folder so that only licensed users can open PGP Desktop. In addition to restricting execute access, other restrictions should be put in place so that PGP Desktop does not startup when a user logs into an account and the menu items are not available.
 

Due to the nature of licensing with Terminal Server or Citrix environments, licensing is per user on the Terminal or Citrix server where Symantec Encryption Desktop is installed as is listed in the example above. The only exception to this licensing is by implementing a technical lockdown of the Symantec Encrypt in Desktop software for non-licensed users in this type of environment. This means the non-licensed users are technically unable to utilize any features. When such a technical lockdown has been implemented, Symantec will only require licenses for the users who will be using Symantec Encryption Desktop and are legally authorized to do so.

 

Additional Information

For information on how to download Symantec Encryption products and other related topics, see the following articles:

193931 - How to download Symantec Encryption products from the Broadcom download Portal
206503 - How to find your license number for Symantec Encryption products


175951 - How to: Enter your License information for PGP Encryption Server (Symantec Encryption Management Server)
276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12 and above
180234 - How to: Enter your license information for PGP Command Line
180213 - How to: Enter your License information for PGP Encryption Desktop (Symantec Encryption Desktop)


153245 - Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)
153399 - PGP Command Line license displays as "Invalid" on VMware systems