This article details the Additional Decryption Key (ADK) and how to import the ADK to the PGP Encryption Server (Symantec Encryption Management Server)
For General Guidelines on Additional Decryption Keys, see the following article:
153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server
The Additional Decryption Key (ADK) is a key that provides a way to decrypt encrypted data if the recipient is unable or unwilling to do so and if required by regulation or security policy.
Every message sent by an internal user is encrypted to the ADK.
Any files that are encrypted are encrypted to this ADK.
Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK.
The ADK is also added to disks encrypted with PGP Whole Disk Encryption.
If you have an Additional Decryption Key uploaded to the PGP Encryption Server, all outbound email is encrypted to it when mail policy is applied.
This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled.
Note: S/MIME messages are not encrypted to the ADK. |
If you use an ADK, the PGP Encryption Server adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.
If you are going to use an ADK on your PGP server, you should import it prior to generating any user keys as a best practice.
You should also try to avoid changing to a different ADK later on, because doing so results in some keys being associated with the old ADK and some with the new ADK or potentially both.
If you add or change an ADK, it is only associated with the keys of new users.
Existing users do not get that ADK added to their key. Only PGP keys can be used as ADKs. You can only have one ADK on the server.
Creating an ADK
You can create a new PGP Key using PGP Desktop or use an existing PGP key.
CAUTION: Make sure you create the ADK only after understanding the Best Practices for this key:
153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server
After creating the key, export the key to a location you can access from the server.
Note: The ADK must be created on a stand alone PGP Desktop client and not a Server managed client to avoid managed signatures etc. from modifying the key. See Additional Decryption Key Guidelines. |
Importing the ADK to the PGP Server (Two Methods)
Method 1: Organization Keys (Applies to Everyone on the PGP Encryption Server)
After importing the key, the name of your ADK is displayed on the Additional Decryption Key row.
Everyone part of the PGP Server will now be enforced to use the ADK.
Method 2: Consumer Policies (Applies to users only part of specific PGP Groups)
For more information on Consumer Polices, see the following article:
Unlike the Organization method, this ADK will apply only to the users matching the Group for the Consumer Policy on the PGP Server.
If you would like to import a PGP key to the PGP server, there are some general guidelines to consider:
*External user's keys, or keys not part of the managed domain can be imported under the External Users location in Consumers on the PGP Server.
*Keys for your internal users can be imported to the Internal Users location in Consumers on the PGP Server.
*Internal User keys must match the managed domain on the PGP server. For example, if the managed domain is example.com, then the key importing must have an email address that matches this.
*If Directory Synchronization is enabled, when keys are imported the PGP server will look up the user in the directory. The key will be imported as long as the email address(s) match that of the user in the directory.
*If you have other internal domains that you would like to manage, and subsequently import PGP keys, you can do so by adding the managed domains under the Consumer's section of the server, then Managed Domains.
*Keys without email addresses cannot be imported to the PGP server as the PGP server does not know if it is an internal or external user. To create a key without an email address in a managed setting, you can enroll the user with no email functionality enabled.
SMIME certs are similar to the PGP key import process, certificates can also be imported to the PGP Server.
However; when you import these certificates you will also want to make sure the Trusted Keys also has the Root Certificate as well as any applicable Intermediate Certificates imported as well.
To do this, find out the Root and Intermediate certificates associated to your user cert you would like to import. It is useful to make note of the Thumbprint IDs so you can then validate these same certs are added to the Trusted Keys under the Keys section of the PGP server.
Once these are added, the certs should import as long as the user is also part of the directory and matches the managed domain.
For further guidance on PGP keys, the Administrator's Guide has some good information to review, and if you need further guidance, reach out to Symantec Encryption Support.
153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server
153477 - Import an ADK to the PGP Encryption Server
153196 - Backup/Export PGP Keypairs
180127 - HOW TO: Add Existing Keyrings to PGP Desktop for Windows
180128 - HOW TO: Import a Keypair into PGP Encryption Desktop (Windows)
180130 - HOW TO: Reconstruct Your Private Key for Windows