Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)
search cancel

Pictured Installation Guide for Symantec Encryption Management Server (PGP Server)


Article ID: 157080


Updated On:


Encryption Management Server Gateway Email Encryption Drive Encryption Endpoint Encryption File Share Encryption Mobile Encryption for iOS Desktop Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API


A pictured installation guide for Symantec Encryption Management Server.
This could be useful in case you are unsure where to put the settings, or you want to check what awaits you prior installing the server. The screens will go through the most standard settings, no deep information provided. The screens may vary depending on your version.

For comprehensive information, see the following documents to familiarize yourself with any aspect of the server:

How to download Symantec Encryption Management Server

Symantec Encryption Management Server Installation Guide

Symantec Encryption Management Server Administrator's Guide


Average Installation time: 15 Minutes


Hard Disk Recommendations:
For Symantec Encryption Management Server managing Drive Encryption or File Share Encryption Only, allocate 100GBs of Hard Drive space.
For Symantec Encryption Management Server hosting the Web Email Protection service for many accounts, allocate 800GBs

Note: The disk space allocations are general guidelines that work for most customers.
More or less space may appropriate, but using the above guidelines will typically cover most scenarios

Memory Allocation Recommdations:
Client Management Only: 8GBs
Email Encryption: 16GBs Minimum
Busy Environments: 32-64GBs

1. Once you boot off of your ISO, you will see the following screen:

Press "enter" to continue on with the installation.


2. This  following screen shows up warning you that all the data on this server "will be deleted and lost forever if you proceed".

If this machine you are installing on is fine, then proceed and the installation will start:

3. The next screen will ask for the IP address for the Symantec Encryption Server.

For the subnet mask, both CIDR-notation (/24) or "dotted-quad" ( notations are acceptable:


 4. You will also need to enter the Gateway and Nameserver (DNS server).

If you have multiple DNS Servers, you can enter more at a later time during the installation.

Then Assign the Hostname (FQDN) the Symantec Encryption Management Server should use.

Symantec Corporation strongly recommends that you name your externally visible Symantec Encryption Management Server according to 
the "keys". convention if you will be using your server for email encryption.  Symantec Encryption Management Server will search "keys.*domain*" for keys by default.
This allows other Symantec Encryption Management Servers to easily find valid public keys for email recipients in your domain.

It is still fine to use any FQDN you choose to use (in this example, "keys.example.com"):

Note: If you are not getting a prompt to enter the IP address, it is most likely the NIC type. 
Some versions of SEMS may not detect the version unless the proper NIC type is selected. 
Choose your preferred NIC time when creating the VM for optimal performance. 
In older installations that used 32-bit VMXnet3 would work or other NIC types such as E1000.  For SEMS 10.5, typically any NIC type will work. 

 6. Press enter to continue the installation of Symantec Encryption Management Server.  This process will take several minutes.

7. After the installation process completes, the Symantec Encryption Management Server will reboot on its own and come up with the following screen:

By default, there is no login configured for security reasons and this should not be done. 
If you feel you need to login for any reason, please reach out to Symantec Encryption Support for further guidance.


8. When opening the Symantec Encryption Management Server webpage, you should see the welcome screen:

Click the next arrow to be presented with the End User License Agreement:

9. You can print a copy of the EULA from this page and once you have finished this process, the initial setup will continue:


10. As we have a fresh install, you can follow the default selection for the Setup Type of "New Installation".

TIP: Even if you are restoring a backup, it is recommended to choose "New Installation" and then configure a new IP Address and hostname. 
Later this IP and hostname will be overwritten with the backup, but once the installation has completed, you can take a snapshot of your clean machine.
After you have finished the web setup, you can then upload your Organization Key and then the backup to complete a restore of the backup.


For more information on backups, see the following article:
153588 - Restore Backup files to Encryption Management Server


Note for Installations for Clusters:
Even if you are joining a cluster, it is recommended to complete the installation as "New" and then take a snapshot before the join operation. 
Then you can join the cluster using the actual administration UI.  For information on joining a cluster, see the following article:

153721 - Creating a Cluster with Symantec Encryption Management Server

11. Here you can specify the time zone for this server as well as the NTP server:

12. Again you may check your network settings and make changes here prior confirming:

13. And finally you will see the final Confirmation page.  Go back if you need to change something.
Once you click Done, the network interface will be restarted and the network details will be written to the configuration:

14. You may see this screen as well when you change network related settings in the Symantec Encryption Management Server:

As you can see in the screen above "https://keys.example.com:9000" is where the webpage will be directed to. 
If you do not have DNS properly configured, you will want to use the IP address for this screen. 

15. You are now prompted to enter the License you purchased with Symantec Encryption Management Server:


16. Setup the Administrator account.

The password policy is fairly strict for the setup and if you do not meet the requirements, you'll get the following message:

For more information on password policies for the SEMS Administrator, see the following article:

171744 - Symantec Encryption Management Server Administrator Password Complexity

17. If you are using the server for securing mails, select the placement of the server in your infrastructure:

Refer to the Admin Guide for in-depth information. We'll continue with the default.  Enter the default domain the SEMS will manage.
Additional domains can be added later if needed under "Consumers\Managed Domains":


18. If you are going to be Provide the mail servers address for sending the mails to.

19. The next screen allows you to configure an Ignition Key.  Symantec recommends having an ignition key if the server is located in an unsecured location:

20. Here we setup a soft Ignition Key with a name and password.  Make sure you always know what the passphrase to this key is.
If the server is ever rebooted, in order to fully boot the system, this passphrase must be entered:

21. Backup the Organization Key, which will sign generated Keys and encrypt your Server Backups.

Having a backup of the Organization Key is critical.  All backups are encrypted using this ignition key.  Ensure a passphrase is entered to protect the key.
In the unlikely event that the passphrase to the Ignition Key is forgotten, having access to the Organization Key and its passphrase will unlock the Ignition key.
The Keypair of the Organization Key is required for this operation:

Make sure to store this keypair in a secure location. 

When restoring a backup from this server you'll need the Organization Key the Backup was encrypted to. Otherwise the Backup won't be readable.

22. And finally you will see the Confirmation Summary page.  Click Done if all the information looks correct:

 23. Again, you will see the screen for changed network settings and it should be redirecting to the Login-screen

24. Login with the credentials you entered during the setup from Step 16.


25. This is the new accounts welcome screen.


26. The server defaults to "Learn Mode", which means no emails will be encrypted by default.
The yellow hat on the top-right corner of the screen indicates the server is in Learn Mode:

27. By clicking the yellow hat you'll see this:

To disable the Learn-Mode remove the check mark and click "Save".

Note: If you are using the server for only File Share Encryption, Drive Encryption, or File Encryption, Learn mode can be left enabled.

28. This completes the installation and initial setup!



Applies To


Please check out the Release Notes, and System Requirements for additional information you should be aware of. 


Additional Information