PGP Key Passphrase Cache functionality and Symnatec File Share Encryption Cache Functionality

book

Article ID: 156547

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Symantec File Share Encryption provides the ability to secure files and folders on a workstation, or a fileserver.  Once a file or folder is secured with Symantec File Share Encryption, the data will only be accessible to users who have the corresponding private key to decrypt, or Group Key, as designated on the Symantec Encryption Management Server, and proper authentication has occurred.

Once a user key has been authenticated with the passphrase, a policy to cache the key passphrase is used, such that the key passphrase will be cached  for the duration of the Windows session, for X number of minutes, or not at all.

This caching of a user's passphrase can have varying behavior for Symantec File Share Encryption and is generally not recommended.

Resolution

The passphrase cache policy applies to user keys such as when decrypting files with PGPzip or signing a file--once the passphrase has been entered, it will be cached (or not cached) as specified.

This cache policy does not always apply to Symantec File Share Encryption once a file or folder has been unlocked.  There is some behavior where the caching does not always clear the cache properly.  Also, this caching policy does not apply to SKM Keymode or Symantec File Share Encryption Group Keys in the same way that a regular user key passphrase is cached. 

In the case of SKM Key Mode, the passphrase is automatically authenticated for the user with a random passphrase when the user authenticates the windows login--whenever the SKM key is needed, automatic authentication is performed for the user.

With Group Keys, authentication is handled via a special policy and PGP Universal Server whenever accessing a folder encrypted to the Group Key is performed.  The user experience is similar to that of an SKM Keymode user (no user passphrase is needed to be entered by the user directly), although a different operation is performed in the background. 

Excluding SKM and Group Key functionality, the Symantec File Share Encryption file or folder will be accessible via the entire Windows session once the user has authenticated with the PGP key passphrase.  If access to that folder is needed again within that Windows session, no further authentication will be needed.

If the user logs off the Windows session, or clears the cache manually via the PGPtray icon, then re-authenticating the PGP File Share Encryption folder will be needed.

As a workaround, the PGP File Share Encryption cache can be cleared manually by running the following command from the command prompt:

32-bit:

C:\Program Files\PGP Corporation\PGP Desktop>pgpnetshare.exe --lock-all

64-bit:

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpnetshare.exe --lock-all

Caveat: Symantec does not recommend clearing the cache when using Symantec File Share Encryption.  Different applications can behave differently when dealing with backend operations and system cache data.  Symantec File Share Encryption can flush this data, and it is not always possible to know what state a file may be writing in the background, so flushing this day could lead to potential file corruption.   In general, the risk should be low, however, due to this risk, Symantec does not recommend clearing cache.  Instead, users should properly logoff the session, or properly shut down the machine to clear this cache safely to avoid any possible file corruption.