Hard Disk Recommendations:

For PGP Encryption Servers managing Drive Encryption or File Share Encryption Only, allocate 100GBs of Hard Drive space.
For PGP Encryption Servers hosting the Web Email Protection service for many accounts, allocate at least 800GBs to account for growth.

Note: The disk space allocations are general guidelines that work for most customers.
More or less space may appropriate, but using the above guidelines will typically cover most scenarios

Memory Allocation Recommendations:
For complete information, see the  System Requirements for PGP Encryption Server.

Single-Node PGP Encryption Server: 16GBs
Clustered Environment: 32GBs Minimum
Busy Environments: 32-64GBs

Tip: It's best to start with 16GBs and if more is needed, it's easy to add this.  If you are not able to reboot the server, determine what may be best, and increase that by 16GBs to allow for growth/scalability.  For example, if it's a basic environment, and 16GBs is needed, but you can allocate 32GBs, this will allow for easy growth without having to adjust later.

Prerequisite: PGP Encryption Server 11 is based off of Debian 11. If your VM has any OS settings upon creation, select Debian 11.

Step 1: Once you boot off of your ISO, you will see the following screen:

You'll notice this will delete any partitions currently configured for the machine and reformat the drive.

"will be deleted and lost forever if you proceed".

If this is fine, press "ENTER" to continue on with the installation.

Step 2: Once you press ENTER to proceed and the installation will start:

Step 3: The next screen will ask for the IP address for the PGP Encryption Server:

You can either enter only the "IP address", or enter the "IP/Subnet Mask" format like the following examples:

Option 1: IP Only:

The next screen will then allow you to enter in the full subnet mask:

Option 2: IP and Subnet mask:

If you enter the /Subnet mask, it'll skip the screen from Option 1.

Step 4: You will also need to enter the Gateway and Nameserver (DNS server).

First, the Gateway IP address will be entered:

Step 5: Then the DNS server. If you have multiple DNS Servers, you can enter more at a later time during the installation:

Step 6: On the next screen, notice it says "changeme" in the field, delete this entry then enter the proper Hostname (FQDN) for the PGP Encryption Server:

Important Note: We strongly recommends that you name your externally visible PGP Encryption Server according to the "keys". convention if you will be using your server for email encryption. 

By default, whenever the PGP Encryption Server searches for recipient keys, it will always search for the "keys.*domain*" for keys by default.

For example, if you are sending an encrypted email to "[email protected]", then the PGP server will look for "keys.example.com" to find a key should one be available. 

Tip: Double check the FQDN entered is correct as this is the last chance to go back.

If the FQDN is correct, press ENTER and the installation will then start for the PGP Encryption Management Server. 

This process will take several minutes. 

Step 7:  After the installation process completes, the PGP Encryption Management Server will reboot on its own and come up with the following screen:

At this stage, it is not possible to login to this portal. By default, there is no login configured for security reasons and this should not be done.

See the following article if you need access to the command line (do this later):
153592 - Access the PGP Encryption Server by using SSH (Symantec Encryption Management Server)

If you feel you need to login for any reason, please reach out to Symantec Encryption Support for further guidance.

Once this screen appears, note the URL listed to connect to, and open a web browser to that location on a different machine. 

Step 8: When opening the PGP Encryption Server webpage, you should see the following welcome screen:

Click the next arrow to be presented with the End User License Agreement:

To accept, click the blue "End User License Agreement" URL and read through it to enable the I Agree button.

If you can't access this from where you are installing, you can also read the agreement on the following page:

Once you are finished with the EULA screen, you can then click "Start" to continue the post-install configuration wizard:

Step 9: The initial setup will continue:

In this example, we will be doing a fresh/new install, you can follow the default selection for the Setup Type of "New Installation".

TIP: Even if you are restoring a backup, it is recommended to choose "New Installation" and then configure a new IP Address and hostname temporarily. 
Later this IP and hostname will be overwritten with the backup network details.  Once the installation has completed for the "New Installation", we recommend taking a snapshot of your clean machine.
After you have finished the web setup, you can then upload your Organization Key and then the backup to complete a restore of the backup.

For more information on backups, see the following article:
153588 - Restore Backup files to the PGP Encryption Server (Symantec Encryption Management Server)

Note for Installations for Clusters:
Even if you are joining a cluster, it is recommended to complete the installation as "New" and then take a snapshot before the join operation. 
Then you can join the cluster using the actual administration UI.  For information on joining a cluster, see the following article:

153721 - Creating a Cluster with the PGP Encryption Server (Symantec Encryption Management Server)

Step 10: Specify the time zone for this server as well as the NTP server:

TIP: If you aren't sure of your NTP Server, usually your Domain Controller acts as an NTP server by default.

Step 11: Again you may check your network settings and make changes here prior confirming:

Step 12: Next, enter the Administrator Account details to use for this New Installation:

It is recommended to change the default admin name of "admin".

Step 13: Enter the primary domain you will be using.  You can add more domains later.  In this example, we'll use "example.com":

Step 14: On the next page, you will enter the configuration for the Ignition Key:

It is recommended to enter the Ignition Key details as we have done in this example.  

Important Note: Once you add an Ignition Key, it is never recommended to remove the Ignition Key from the server.
If you do think you need to remove it, please consult with Symantec Encryption Support for further guidance.

Step 15: If you are putting the PGP Encryption Server in the mailflow (Gateway Email Encryption), then enable Mail Proxy, and enter the mail configuration as needed:

Step 16: Next, enter a secure password for your Organization Key backup, and click Next.  At the end, it will safe an "orgkey.asc" file to your system.
Keep this backup safe and do not forget the password.  All backups are encrypted to the Org Key and cannot be used without it.

Step 17: Confirm all your network details.  Click Back to change any of the settings. 

Step 18: Once you have reviewed all the information in the setup, click Finish.  The PGP Encryption Server will then apply all the configuration data to the server.

The yellow hat on the top-right corner of the screen indicates the server is in Learn Mode:

By clicking the yellow hat you'll see this:

To disable the Learn-Mode remove the check mark and click "Save".

Important Note: If you are using the server for only File Share Encryption, Drive Encryption, or File Encryption, Learn Mode can be left enabled, however, you still need to upload a license for each component.
If you own the "PGP Encryption Suite" SKU, then all three of these features are automatically enabled with the license.

Step 24: This completes the installation and initial setup!

There are two items you should now configure:

Item 1: Configure Directory Synchronization for the PGP Encryption Server:
180239 - Enabling Directory Synchronization on the PGP Encryption Server (Symantec Encryption Management Server)

Item 2: Configure Directory Synchronization for the PGP Admins, which is a new way to use your domain accounts to login to the PGP Encryption Server instead of a regular PGP password:
171746 - LDAP Integration with PGP Administrators via Active Directory (Directory Authentication) for PGP Encryption Server

Step 25: Check out the Release Notes, and System Requirements for additional information you should be aware of.