Cannot change Encryption Desktop user key mode from SKM to GKM

book

Article ID: 156760

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

You wish to change the key mode of an Encryption Management Server internal user from SKM to GKM (or CKM). This may be required if, for example, a user is using Encryption Management Server as a mail encryption gateway but now requires Encryption Desktop for end-to-end email encryption.

Symantec recommends that Encryption Desktop clients use SKM key mode unless there is a very specific reason not to. However, if your organization standardized on GKM mode some years ago you may decide to continue using it. Please see article TECH149029 for more information about key modes.

After you move the user to an Encryption Management Server group that uses only GKM key mode, Encryption Desktop notifies the user that their key mode has changed and prompts them to create a passphrase. After the user enters a passphrase, Encryption Desktop notifies them that their key mode could not be changed.

Encryption Desktop displays the following message to the user:

Unable to change Key Mode. Contact your security administrator.

The Encryption Desktop log contains the following entry:

09:23:24 PGP Error Key Mode change has failed with an error: insufficient privileges (-11972)

Cause

This is by design. SKM mode keys are managed by Encryption Management Server.

Environment

  • Encryption Management Server 3.3 and above.
  • Encryption Desktop 10.3 and above.

Resolution

One solution is to provide the user with a new GKM mode key:

  1. Revoke the user's SKM mode key on Encryption Management Server.
  2. Move the user to the Encryption Management Server group that uses GKM key mode.
  3. Re-enroll the user by quitting PGP Tray, deleting the folder "%appdata%\PGP Corporation" and starting PGP Tray.
  4. A new GKM mode key will be generated for the user. Their Encryption Desktop keyring will also contain their revoked SKM mode key. A revoked key can be used to decrypt but not encrypt.

Alternatively, you can give the user's new group permission to convert their SKM mode key to GKM mode:

  1. From the Encryption Management Server administration console, click on Consumers / Groups and then the name of the group that uses GKM key mode.
  2. Click on the View button next to the Permissions section.
  3. Click on the Add Permissions button.
  4. From the drop down list, select Can modify OpenPGP key of.
  5. In the empty text box, enter the name of the user that is changing key mode and click the Save button.
  6. Note that if you are migrating multiple users from SKM key mode, you can add the users individually or select All Managed Keys from the drop down list.
  7. Add the user to the group that uses GKM mode.
  8. When the user is notified that their key mode has changed and is prompted for a passphrase, the passphrase will be accepted and their key will change from SKM mode to GKM mode.
  9. After the user has changed their key mode, remove the Can modify OpenPGP key of permission from the group.