The Ignition Key Passphrase must be entered after a PGP Encryption Server is rebooted (Symantec Encryption Management Server)
search cancel

The Ignition Key Passphrase must be entered after a PGP Encryption Server is rebooted (Symantec Encryption Management Server)

book

Article ID: 153393

calendar_today

Updated On:

Products

Symantec Products Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The PGP Encryption Server can protect the server so that after it is rebooted, it will not load completely until a password is entered in the web console.

After rebooting your PGP Encryption Server (Symantec Encryption Management Server) it displays the following message:

"Server is currently locked.

Unlock Server With Soft-Ignition Passphrase

You have the option to unlock the server by entering your Ignition Key passphrase or by using the Organization Key."

Resolution

Although the PGP Encryption Server should be fully secured geographically and on the network so that only authorized users have physical access, Ignition Keys can protect the data on the PGP Encryption Server in the unlikely event that physical access to the server is available for unauthorized users.

In order for someone to gain unauthorized access, they would need to have physical access to the server, meaning they would need to be able to access the server room, or the actual Virtual Machine where the PGP Server is installed.  These levels of access are not typically available to any administrator except for "Super Users" or the highest-level access administrators.

If the PGP Encryption Server is rebooted, it assumes that this access may be available, and so it will not fully boot up without proper authenticaiton.

 

Unlock the PGP Encryption Server using one of the following options:

Option 1. Enter your passphrase for your ignition key and click the Unlock button.

Option 2. Click the Unlock with Organization Key button and choose to import your saved key file or key block. Then click the Import button.

During the installation of the server or after setup is complete, you can configure an ignition key to secure the server.

When an Ignition Key is configured, the Organization Key is encrypted to the Ignition Key. If you lose your passphrase for your ignition key, you can use your Organization Key to unlock the server.

Caution: If you choose to configure an ignition key for your server, it is strongly recommended that you backup your Organization Key.


If you do not have a backup of your Organization Key and the passphrase for the Ignition Key is lost, the server cannot be unlocked.

All PGP Encryption Server backup files are also encrypted to your Organization Key before they are sent to a backup location, making it critical to backup your Organization key.  For more information on how to backup your Org key, see the following article:

180196 - HOW TO: Backup the Organization Key on the PGP Encryption Server (Symantec Encryption Management Server)

 

Additional Information