PGP Key Renewal - PGP Encryption Management Server user keys are valid for only two weeks
search cancel

PGP Key Renewal - PGP Encryption Management Server user keys are valid for only two weeks

book

Article ID: 157933

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite Endpoint Encryption File Share Encryption

Issue/Introduction

An internal user needs to send their public key to a third party but they discover that the key is only valid for two weeks at a time. Therefore the user has to send the third party a renewed key on a frequent basis.

 

Environment

PGP Encryption Server 10.5 and above.

Cause

By default, keys managed by the PGP Encryption Server (SKM mode keys) are valid for only two weeks. The day prior to expiry they are renewed for another two weeks as long as the end user has interacted with Encryption Management Server.

Resolution

In Drive Encryption only deployments, PGP keys are not used and therefore the key renewal settings are not important, other than preventing the user's accounts appearing as "Grayed out".

Users who use email encryption or PGP Zip file encryption may need to provide their public key to third parties. Providing a key to a third party that is valid only for a maximum of two weeks is not practical and therefore the default renewal settings should be changed.

If the third party also uses a PGP Server, they can configure their server to lookup your organization's keys on your PGP Server automatically. In this scenario, the validity period of your keys is not important. Otherwise, users will have to exchange public keys with third parties manually.

To change the Key Renewal settings in the Consumer Policy that applies to the user, go to the Generation tab of the Keys section of each consumer policy. The default settings are:

  • Auto Renew Keys Every: 2 weeks
  • Stop Renewing After: 3 months of inactivity

If, for example, the Auto Renew value is set to 2 months, the keys for users in the policy will be valid for two months at a time. Note that if the Auto Renew value is set to Never renew the keys will be given an expiry date of Never and this will not change, even if the policy is changed later.

The Stop Renewing After setting determines when keys should stop being renewed. For example, if Stop Renewing After is set to 3 months and a user in the policy has not interacted with PGP Server in the previous three months then the user's key will not be renewed. Note that a setting of Never stop renewing means that keys will always be renewed, even if the user is inactive.

 

Deciding which settings to use depends on the policies of your organization but if users may need to send their public keys to third parties manually, or if the scenario is a Drive-Encryption only scenario, we recommend setting Auto Renew to 6 months.

Symantec recommends that the Stop Renewing After value should be greater than the Auto renew Keys Every value, and in this case, it would be 1 year.


This means that keys will remain active for 6 months, and then after 6 months, the key expires.  IF the user checks in with the PGP server within 1 year after it was expired, the key can be renewed automatically.  Otherwise, the key will expire and a new key will be generated once the user becomes active again. 

When deciding on appropriate settings, note that an expired key can be used to decrypt data but cannot be used to encrypt data. Therefore if a user leaves the organization it is good housekeeping to allow their key to expire automatically after a period of time so that it cannot be used for data encryption.

Additional Information

236768 - Unable to Sign with SMIME Certificate: Item Not Found

ISFR-2159/EPG-27234

EPG-26606

Increased PGP Key Management
ISFR-2335, ISFR-2336, ISFR-2334, ISFR-2333