This article details the Additional Decryption Key (ADK) and how to import the ADK to the PGP Encryption Server.
For General Guidelines on Additional Decryption Keys, see the following article:
An Additional Decryption Key (ADK) is a way to retrieve encrypted data if the recipient is unable or unwilling to do so and if required by regulation or security policy. Every message sent by an internal user is also encrypted to the ADK. Any files that are encrypted are also encrypted to this ADK. Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK. The ADK is also added to disks encrypted with PGP Whole Disk Encryption.
If you have an Additional Decryption Key uploaded, all outbound email is encrypted to it when mail policy is applied. This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled.
|Note: S/MIME messages are not encrypted to the ADK.|
If you use an ADK, the PGP Encryption Server adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.
If you are going to use an ADK on your PGP server, you should import it prior to generating any user keys as a best practice. You should also try to avoid changing to a different ADK later on, because doing so results in some keys being associated with the old ADK and some with the new ADK or potentially both. If you add or change an ADK, it is only associated with the keys of new users. Existing users do not get that ADK added to their key. Only PGP keys can be used as ADKs. You can only have one ADK on the server.
Creating an ADK
You can create a new PGP Key using PGP Desktop or use an existing PGP key. After creating the key, export the key to a location you can access from the server.
|Note: The ADK must be created on a stand alone PGP Desktop client and not a Server managed client to avoid managed signatures etc. from modifying the key.|
Importing the ADK
To import an ADK to your SEMS
After importing the key, the name of your ADK is displayed on the Additional Decryption Key row.
If you would like to import a PGP key to the PGP server, there are some general guidelines to consider:
*External user's keys, or keys not part of the managed domain can be imported under the External Users location in Consumers on the PGP Server.
*Keys for your internal users can be imported to the Internal Users location in Consumers on the PGP Server.
*Internal User keys must match the managed domain on the PGP server. For example, if the managed domain is example.com, then the key importing must have an email address that matches this.
*If Directory Synchronization is enabled, when keys are imported the PGP server will look up the user in the directory. The key will be imported as long as the email address(s) match that of the user in the directory.
*If you have other internal domains that you would like to manage, and subsequently import PGP keys, you can do so by adding the managed domains under the Consumer's section of the server, then Managed Domains.
*Keys without email addresses cannot be imported to the PGP server as the PGP server does not know if it is an internal or external user. To create a key without an email address in a managed setting, you can enroll the user with no email functionality enabled.
SMIME certs are similar to the PGP key import process, certificates can also be imported to the PGP Server.
However; when you import these certificates you will also want to make sure the Trusted Keys also has the Root Certificate as well as any applicable Intermediate Certificates imported as well.
To do this, find out the Root and Intermediate certificates associated to your user cert you would like to import. It is useful to make note of the Thumbprint IDs so you can then validate these same certs are added to the Trusted Keys under the Keys section of the PGP server.
Once these are added, the certs should import as long as the user is also part of the directory and matches the managed domain.