Import and Deploy an Additional Decryption Key (ADK - and other Keys) to the PGP Encryption Server
search cancel

Import and Deploy an Additional Decryption Key (ADK - and other Keys) to the PGP Encryption Server


Article ID: 153477


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


This article details the Additional Decryption Key (ADK) and how to import the ADK to the PGP Encryption Server (Symantec Encryption Management Server)

For General Guidelines on Additional Decryption Keys, see the following article:

153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server


The Additional Decryption Key (ADK) is a key that provides a way to decrypt encrypted data if the recipient is unable or unwilling to do so and if required by regulation or security policy.

Every message sent by an internal user is encrypted to the ADK. 

Any files that are encrypted are encrypted to this ADK. 

Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK.

The ADK is also added to disks encrypted with PGP Whole Disk Encryption.

If you have an Additional Decryption Key uploaded to the PGP Encryption Server, all outbound email is encrypted to it when mail policy is applied.

This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled.

Note: S/MIME messages are not encrypted to the ADK.

If you use an ADK, the PGP Encryption Server adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.

If you are going to use an ADK on your PGP server, you should import it prior to generating any user keys as a best practice.

You should also try to avoid changing to a different ADK later on, because doing so results in some keys being associated with the old ADK and some with the new ADK or potentially both.

If you add or change an ADK, it is only associated with the keys of new users.

Existing users do not get that ADK added to their key. Only PGP keys can be used as ADKs. You can only have one ADK on the server.

Creating an ADK

You can create a new PGP Key using PGP Desktop or use an existing PGP key. 

CAUTION: Make sure you create the ADK only after understanding the Best Practices for this key:

153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server


After creating the key, export the key to a location you can access from the server.

Note: The ADK must be created on a stand alone PGP Desktop client and not a Server managed client to avoid managed signatures etc. from modifying the key.

 See Additional Decryption Key Guidelines


Importing the ADK to the PGP Server (Two Methods)

Method 1: Organization Keys (Applies to Everyone on the PGP Encryption Server)

  1. Login to the PGP Encryption Server administrative interface.
  2. Click the Organization card, then click Organization Keys.
  3. Click the Import icon in the Import column of the Additional Decryption Key row.
  4. You can import a key by browsing to an exported public key file or by pasting the key block of a public key.
  5. Click the Import button.

After importing the key, the name of your ADK is displayed on the Additional Decryption Key row.
Everyone part of the PGP Server will now be enforced to use the ADK.

Method 2: Consumer Policies (Applies to users only part of specific PGP Groups)

  1. Login to the PGP Encryption Server administrative interface.
  2. Click the Consumers card, then click on General.
  3. In the middle you will see an option to "Import" and upload your ADK to the policy.
  4. Click Save.

For more information on Consumer Polices, see the following article:

153564 - Creating PGP Desktop Client Policies on Symantec Encryption Management Server (PGP Server) Consumer Policies

Unlike the Organization method, this ADK will apply only to the users matching the Group for the Consumer Policy on the PGP Server. 


Importing Regular PGP Keys to the PGP Server

If you would like to import a PGP key to the PGP server, there are some general guidelines to consider:

*External user's keys, or keys not part of the managed domain can be imported under the External Users location in Consumers on the PGP Server.

*Keys for your internal users can be imported to the Internal Users location in Consumers on the PGP Server.

*Internal User keys must match the managed domain on the PGP server.  For example, if the managed domain is, then the key importing must have an email address that matches this.

*If Directory Synchronization is enabled, when keys are imported the PGP server will look up the user in the directory.  The key will be imported as long as the email address(s) match that of the user in the directory.

*If you have other internal domains that you would like to manage, and subsequently import PGP keys, you can do so by adding the managed domains under the Consumer's section of the server, then Managed Domains.

*Keys without email addresses cannot be imported to the PGP server as the PGP server does not know if it is an internal or external user.   To create a key without an email address in a managed setting, you can enroll the user with no email functionality enabled.



Importing SMIME Certificates to the PGP Server

SMIME certs are similar to the PGP key import process, certificates can also be imported to the PGP Server.

However; when you import these certificates you will also want to make sure the Trusted Keys also has the Root Certificate as well as any applicable Intermediate Certificates imported as well.

To do this, find out the Root and Intermediate certificates associated to your user cert you would like to import.  It is useful to make note of the Thumbprint IDs so you can then validate these same certs are added to the Trusted Keys under the Keys section of the PGP server.

Once these are added, the certs should import as long as the user is also part of the directory and matches the managed domain.


For further guidance on PGP keys, the Administrator's Guide has some good information to review, and if you need further guidance, reach out to Symantec Encryption Support.

Additional Information

153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server

153477 - Import an ADK to the PGP Encryption Server

247825 - Replacing or Updating an Additional Decryption Key on the PGP Encryption Server may not clean up old ADKs

266503 - What happens when the ADK for the Organization Expires on the PGP Encryption Server with the PGP Desktop?



153196 - Backup/Export PGP Keypairs

180127 - HOW TO: Add Existing Keyrings to PGP Desktop for Windows

180129 - HOW TO: Access the Backup Keyrings Created Automatically by PGP Encryption Desktop for Windows

180128 - HOW TO: Import a Keypair into PGP Encryption Desktop (Windows)

153195 - "It is not possible to decrypt this message..." Unable to decrypt - Keyring does not contain usable private keys

180130 - HOW TO: Reconstruct Your Private Key for Windows