Encryption Management Server user keys are valid for only two weeks

book

Article ID: 157933

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Powered by PGP Technology Gateway Email Encryption

Issue/Introduction

An internal user needs to send their public key to a third party but they discover that the key is only valid for two weeks at a time. Therefore the user has to send the third party a renewed key on a frequent basis.

 

Cause

By default, keys managed by Encryption Management Server (SKM mode keys) are valid for only two weeks. The day prior to expiry they are renewed for another two weeks as long as the end user has interacted with Encryption Management Server.

Environment

Symantec Encryption Management Server 3.4 and above.

Resolution

In Drive Encryption only deployments, PGP keys are not used and therefore the key renewal settings are not important.

Users who use email encryption or PGP Zip file encryption may need to provide their public key to third parties. Providing a key to a third party that is valid only for a maximum of two weeks is not practical and therefore the default renewal settings should be changed.

If the third party also uses Encryption Management Server, they can configure their Encryption Management Server to lookup your organization's keys on your Encryption Management Server automatically. In this scenario, the validity period of your keys is not important. Otherwise, however, users will have to exchange public keys with third parties manually.

To change the Key Renewal settings in the Consumer Policy that applies to the user, go to the Generation tab of the Keys section of each consumer policy. The default settings are:

  • Auto Renew Keys Every: 2 weeks
  • Stop Renewing After: 3 months of inactivity

If, for example, the Auto Renew value is set to 2 years the keys for users in the policy will be valid for two years at a time. Note that if the Auto Renew value is set to Never renew the keys will be given an expiry date of Never and this will not change, even if the policy is changed later.

The Stop Renewing After setting determines when keys should stop being renewed. For example, if Stop Renewing After is set to 3 months and a user in the policy has not interacted with Encryption Management Server in the previous three months then the user's key will not be renewed. Note that a setting of Never stop renewing means that keys will always be renewed, even if the user is inactive.

Deciding which settings to use depends on the policies of your organization but if users may need to send their public keys to third parties, consider setting Auto Renew to 2 or 3 years.

Symantec recommends that the Stop Renewing After value should be greater than the Auto renew Keys Every value.

When deciding on appropriate settings, note that an expired key can be used to decrypt data but cannot be used to encrypt data. Therefore if a user leaves the organization it is good housekeeping to allow their key to expire automatically after a period of time so that it cannot be used for data encryption.