This article explains the advantages, usage, and applicability of the different key modes available to use with PGP Encryption Desktop (Symantec Encryption Desktop)  when managed by the PGP Encryption Server (Symantec Encryption Management Server).

Note that an important aspect of key management is key renewal. For key renewal considerations, please review the following article:

157933 - Symantec Encryption Management Server Key Renewal

Obviously, each of these keymodes has its own scenarios to address as far as security considerations ranging from seamless keymodes, to other strict modes, such as CKM, which only the end users manages.  The below information will explain all these key differences and assumes the greatest care will be taken when working with keys on the PGP Encryption Server.  If you have any doubts on this information, feel free to reach out to Symantec Encryption Support for further guidance to help you proceed. 

The PGP Encryption Server provides four separate key modes for use with PGP Encryption Desktop clients. These key modes are:

1. Server Key Mode (SKM)- Recommended
2. Guarded Key Mode (GKM)
3. Client Key Mode (CKM) - Not recommended unless Keypairs cannot be managed/stored on the server
4. Server Client Key Mode (SCKM) - Not recommended unless Signing keypairs cannot be managed/stored on the server
   
   

Server Key Mode (SKM)

Use SKM unless you have a very specific reason to use another key mode.

• Keys are generated and managed on PGP Encryption Server.
• In an email Gateway deployment (no Encryption Desktop clients), only SKM mode must be used. 
• If PGP Encryption Desktop is being used, the user does not need to worry about remembering a passphrase as this is managed seamlessly using Crypto APIs.
• Even if the keypair is accidentally deleted on the local machine, the user can update policy and immediately be back in working order.
• This is the only key mode where the user does not need to remember a passphrase for their key and because of this, this is the easiest method for key management. 
• To ensure all users are generated using SKM, disable all keymodes except for SKM and during client enrollment, even the key generation process is more seamless.

Client Key Mode (CKM)

With a CKM key, only the end user has the private key and passphrase of the key.  This means that the end user is solely responsible for backing it up.  The PGP Encryption Server has only the public portion of the key. If a CKM user loses their private key, the key is not recoverable and all data encrypted to the key is lost.  Make sure you backup the keypair and don't forget the passphrase.

Key Reconstruction can be used to reconstitute the key, but the user must remember the Questions and answers to do so.

Guarded Key Mode (GKM)

With a GKM key, the end user has the private key and passphrase of the key.  The PGP Encryption Server has a copy of the key pair, however, the server does not store the user's passphrase. As a result, if the GKM user loses their private key, the key is not recoverable and all data encrypted to the key is lost.

Key Reconstruction can be used to reconstitute the key, but the user must remember the Questions and answers to do so.

Server Client Key Mode (SCKM)

SCKM keys are generated on the client and uploaded to the server.  The Keypair for Encryption is stored on the server, however, only the user has the keypair for the signing portion of the key.  Because of this, the keypair must be backed up locally.  

• The public and private encryption subkey is on the server, but by default encryption and decryption is not performed on the server.
• The public signing subkey is on the server. The PGP Encryption Server cannot sign email for the user.
• Mail processing must take place on the client in order to use the SCKM signing subkey. 
• Encryption Management Server Gateway email allows email encryption and decryption with SCKM keys but email will not be signed. Decryption on the server must be enabled manually for this key mode because it is disabled by default.
• SCKM is compatible with smartcards, but encryption keys will not be generated on the token. Copy the keys onto the token after generation.
• If an SCKM user resets their key, the entire SCKM key is revoked, including all subkeys, and remains on Encryption Management Server as a non-primary key for the user. This non-primary key can still be used for decryption and will remain on the server until manually removed by the administrator.

Changing Key Modes

If you have users who are on one keymode and would like to switch to another, consider this option carefully.

For example, if you have GKM users and you want to migrate them to SKM, you can enable only SKM in the policy, however, when the clients update policy, the users will receive a passphrase prompt to change the keymode.  If the users do not know their passphrase, this could cause confusion for the helpdesk.

The way to get around this scenario if the user has forgotten their passphrase to the GKM key, and no key reconstruction data has been created, or cannot be used, follow these steps below:

1. Export the Keypair from the Server and client so that if the user remembers the passphrase at some point, the key can still be used.

2. Next, Delete the Key from the server for that particular user.

3. Stop the Services on the PGP Desktop client and then rename the "PGP" folder in the Documents folder (this will allow you to keep the old keyrings, but a new keyring will be created).

4. Reenroll the user per the following article:

180181 - How to re-enroll Encryption Desktop for Windows Clients
155714 - HOW TO: Re-enroll Symantec Encryption Desktop for Mac OS X Clients

5. The enrollment process will allow a new GKM key to be created.  If you wish to allow SKM, you can enable this keymode in addition to GKM and when the user enrolls, they'll have both options presented and they can choose SKM to simplify further key management. 

EPG-25953