Issue

In a PGP Universal Server managed environment, PGP Desktop clients are prompted to enter a passphrase for a PGP key even though the Internal User Policy for the Key Settings is set to allow clients to use only the Server Key Mode (SKM).

This issue occurs when the Key Settings management is configured to use only the SKM key mode and the PGP Desktop Options permission is set to Allow user-initiated key generation for the user policy. The Allow user-initiated key generation option is enabled by default on the General card in the PGP Desktop Policy Options of the user policy.

When these options for the policy are enabled, the user will be prompted to enter a passphrase for a PGP key during the enrollment process. Thereby, a SKM key is generated for the user on the PGP Universal Server and a separate CKM key is generated locally for the user. The SKM key generated on the PGP Universal Server is used for user mail encryption and decryption.

If these options are set, the user will have 2 separate keypairs, one on the PGP Universal Server and one on the local PGP Desktop.

Note: This article applies to versions of PGP Desktop 9.5 and above managed by PGP Universal Server 2.5 and above.

Workaround

To disable the user being prompted for a passphrase and generating a local CKM key, remove the checkmark next to Allow user-initiated key generation for the user policy.

1. Access the PGP Universal Server administrative interface.
2. Click the Policy>Internal User Policy card.
3. Click the Edit... button next to PGP Desktop Settings.
4. On the General card, remove the checkmark next to Allow user-initiated key generation.
5. Click Save twice to update the client policy.