Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server (Symantec Encryption Management Server)
Article ID: 153511
Updated On:
Products
Issue/Introduction
This article includes a technical document detailing guidelines when using an ADK when using with the PGP Encryption Server (Symantec Encryption Management Server). An additional decryption key (ADK) is a key generally used by security officers of an organization to decrypt messages that have been sent to or from employees within the organization.
Resolution
Additional Decryption Keys (ADKs) are created as an additional method to decrypt content where decryption by the intended recipient may not be possible.
The holder of the ADK, and corresponding passphrase will allow any content to be decrypted as long as the data was encrypted to this key.
ADKs can be enforced on an Organizational Level, and a Consumer Policy Level. When enforced via the Organizational Level, the ADK applies to all users.
When enforced on the Consumer Policy level, the ADK applies to only those users who are part of the applicable policy.
Table of Contents
IMPORTANT TIP: Take special care with the passphrase/password of the Additioanl Decryption Key.
If the passphrase is lost, the ADK cannot be used and a new key must be generated and applyed and then deployed.
This is a non-trivial event. For more information on changing your ADK, see the following article:
247825 - Replacing or Updating an Additional Decryption Key on the PGP Encryption Server may not clean up old ADKs (Symantec Encryption Management Server)
Section 1 of 5: ADK Best Practice
It is recommended to make your PGP key that will be the designated "ADK" as simple as possible.
ADKs should be considered independent of any other key in the environment as they carry a lot of weight for encrypted content
The following best practices will help ensure your ADK is ready for use:
Best Practice 1: Choose an appropriate key size for the organization--at least 2048 is recommended.
Best Practice 2: If splitting the ADK, take special care with the re-joining requirements as once the ADK Keypair is split, the Keypair is no longer usable until re-joined.
For example, if the key is split into 3 shares, and 2 are required, if only one user is able to enter the credentials, the keypair cannot be joined.
Best Practice 3: Take special care to make backups of the ADK, ensuring the Keypair (Both Private and Public) is backed up, not only the Public Key.
Best Practice 4: Set the Expiration of ADKs to "Never".
Import the Key Pair into PGP Encryption Desktop. Once the Key Pair is imported , double-click the key to open the key properties.
Click on the "Expiration" field of the key and set it to "Never". Click "OK" to save the changes and enter a passphrase to confirm the changes.
Best Practice 5: It is important that no ADKs are associated to your designated ADK as it could cause confusion and unexpected results.
Ensure there are no other ADKs attached to the ADK that needs to be used:
Note above that there is no option to expand this ADK--this is a good indicator that the key is not associated to any other ADKs.
You can import the ADK into PGP Encryption Desktop to check these properties mentioned above.
Once imported, double-click on the ADK, and then click on the ADK card on the key properties. If there is an ADK, remove it.
You will be prompted for a passphrase to confirm. Enter the passphrase and once the ADK to remove it.
Once the ADK meets all of the best practices above, you are ready to export the key from PGP Encryption Desktop and assign to the applicable policy, or PGP Encryption server as an Organization ADK.
To do so, right-click on the ADK that you just updated and click Export. This will allow you to save the ADK public key that you can then upload to the PGP server.
It may be a good idea to rename the file "ADK-official.asc", or some other memorable name so that you know this is the ADK key file you should upload to the PGP Server.
Best Practice 6: Once you have uploaded the proper ADK, backup the keypair and keep it in a safe place in case it is needed in the future.
Best Practice 7: Delete any signatures not associated to the ADK:
As you can see in the screenshot above, the key has been expanded to show the signature.
Note: The signature icon looks like a little pen with a globe on it. This will make the key so that it is unassociated to any other keys.
Currently, there is only one signature in this example. If you double-click that signature, note the Key ID for the signature. If it is the same as the Key ID for the ADK itself, it is fine.
If the signature is for another key, delete it to clean it up.
Best Practice 8: Remove any Keyservers on the ADK.
As can be seen in the above screenshot, this ADK has no keyserver listed (shows as "none").
If there is a preferred Keyserver on the key, remove the entry for the existing server.
Section 2 of 5: ADK Key Usage Scenarios
ADKs are compatible for the following scenarios:
*Email Encryption
*Individual File Encryption
*Drive Encryption
*File Share Encryption.
*Virtual Disk Encryption
*Group keys are fully compatible with additional decryption keys (ADKs)
*ADKs are Not compatible with Self-Decrypting Archives (SDAs) or "Conventional" Encryption, which uses *only a password* to encrypt.
Section 3 of 5: Using an Additional Decryption Key to Decrypt Content
PGP uses many components to encrypt and decrypt content.. The ADK can then be used to decrypt the all of the content mentioned above.
Using the ADK requires importing the keypair into the PGP Encryption Desktop Keyring.
Once the Keypair has been imported, as long as you know the passphrase, you can decrypt the content using the applicable.
If you have a share encrypted with PGP File Share Encryption, and the share was also encrypted to the ADK.
In order to access the encrypted content, simply import the ADK into the keyring and the files can then be accessed.
Having an ADK does not change the method for decryption, it simply changes who would then have the ability to access the content.
Section 4 of 5: Passphrase Management of the Additional Decryption Key
The ADK is like any other PGP key and will have the keypair containing a public portion and a private portion.
The public portion is what is assigned the Consumer Policy on the PGP Server and the Private Portion is typically kept in a secure location.
If you need to change the passphrase of the ADK, you would do this as you would any other key.
In this example, we will do so with the ADK inside of PGP Desktop:
In this example, the name of the ADK is "ADK".
Double-click on ADK and you will see the Key Properties:
Notice on the top-right corner the option "Change Passphrase". Click this to start the process.
Enter the current passphrase to the existing key and click next:
If you get an error about "Incorrect Passphrase", this means the password is incorrect. Re-enter the proper passphrase and you will see the next screen:
Warning: If you leave the passphrase fields blank, and click next, the key will no longer have a passphrase.
It is important for a PGP Key to have a passphrase as this protects the keypair data.
Click Finish.
Now if you would like to export the ADK, there are two ways to do it:
Method 1: Export the Keypair (Public and Private Keys both)
Step 1: Open the PGP Keys in PGP Desktop and right-click the ADK in question.
Click on Export:
Step 2: Click the option "Include Private Keys" to ensure both the Private key and public keys are exported:
Method 2: Export the Public Key (Public key only):
Use all the same steps as Method 1, but *do not* check the "Include Private Keys" option:
Section 5 of 5: Importing the ADK to the PGP Server and Keymodes
There are two possible keymodes that you will typically see with ADKs and PGP Server upon importing as an Organization ADK or Consumer Policy ADK:
Client Key Mode (CKM): This keymode means that you imported only the Public portion of the key to the PGP Server.
Guarded Key Mode (GKM): This keymode means that you imported the keypair to the PGP Server, but the server does not know the passphrase.
If you need any additional guidance for ADKs, reach out to Symantec Encryption Support for further assistance.
Additional Information
153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server
153477 - Import an ADK to Symantec Encryption Management Server (aka PGP Universal Server)
153196 - Backup/Export PGP Keypairs
180127 - HOW TO: Add Existing Keyrings to PGP Desktop for Windows
180129 - HOW TO: Access the Backup Keyrings Created Automatically by PGP Desktop for Windows
180128 - HOW TO: Import a Keypair into PGP Desktop (Windows)
180130 - HOW TO: Reconstruct Your Private Key for Windows
Feedback
