This article explains the advantages, usage, and applicability of the different key modes available to use with PGP Encryption Desktop (Symantec Encryption Desktop) when managed by the PGP Encryption Server (Symantec Encryption Management Server).
Note that an important aspect of key management is key renewal. For key renewal considerations, please review the following article:
Obviously, each of these keymodes has its own scenarios to address as far as security considerations ranging from seamless keymodes, to other strict modes, such as CKM, which only the end users manages. The below information will explain all these key differences and assumes the greatest care will be taken when working with keys on the PGP Encryption Server. If you have any doubts on this information, feel free to reach out to Symantec Encryption Support for further guidance to help you proceed.
The PGP Encryption Server provides four separate key modes for use with PGP Encryption Desktop clients. These key modes are:
Use SKM unless you have a very specific reason to use another key mode.
With a CKM key, only the end user has the private key and passphrase of the key. This means that the end user is solely responsible for backing it up. The PGP Encryption Server has only the public portion of the key. If a CKM user loses their private key, the key is not recoverable and all data encrypted to the key is lost. Make sure you backup the keypair and don't forget the passphrase.
Key Reconstruction can be used to reconstitute the key, but the user must remember the Questions and answers to do so.
With a GKM key, the end user has the private key and passphrase of the key. The PGP Encryption Server has a copy of the key pair, however, the server does not store the user's passphrase. As a result, if the GKM user loses their private key, the key is not recoverable and all data encrypted to the key is lost.
Key Reconstruction can be used to reconstitute the key, but the user must remember the Questions and answers to do so.
SCKM keys are generated on the client and uploaded to the server. The Keypair for Encryption is stored on the server, however, only the user has the keypair for the signing portion of the key. Because of this, the keypair must be backed up locally.
Changing Key Modes
If you have users who are on one keymode and would like to switch to another, consider this option carefully.
For example, if you have GKM users and you want to migrate them to SKM, you can enable only SKM in the policy, however, when the clients update policy, the users will receive a passphrase prompt to change the keymode. If the users do not know their passphrase, this could cause confusion for the helpdesk.
The way to get around this scenario if the user has forgotten their passphrase to the GKM key, and no key reconstruction data has been created, or cannot be used, follow these steps below:
1. Export the Keypair from the Server and client so that if the user remembers the passphrase at some point, the key can still be used.
2. Next, Delete the Key from the server for that particular user.
3. Stop the Services on the PGP Desktop client and then rename the "PGP" folder in the Documents folder (this will allow you to keep the old keyrings, but a new keyring will be created).
4. Reenroll the user per the following article:
180181 - How to re-enroll Encryption Desktop for Windows Clients
155714 - HOW TO: Re-enroll Symantec Encryption Desktop for Mac OS X Clients
5. The enrollment process will allow a new GKM key to be created. If you wish to allow SKM, you can enable this keymode in addition to GKM and when the user enrolls, they'll have both options presented and they can choose SKM to simplify further key management.
EPG-25953