Occasionally you may need to obtain information on which Symantec Encryption Management Server (SEMS) Consumers have or don't have a Key Reconstruction Block (KRB) set up for their PGP key.

In the Symantec Encryption Management Server Admin interface, the symbol for the Key Reconstruction Block may not display for some Internal Users.

Accessing the PGP Universal Server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line may void your Symantec Support agreement unless the following procedures are followed.

Any changes made to the PGP Universal Server via the command line must be:

 

• Authorized in writing by Symantec Technical Support or published as an approved and documented process on the Symantec Knowledge Base.
• Implemented by a Symantec Partner, reseller or Symantec Technical Support.
• Summarized and documented in a text file in /var/lib/ovid/customization on the PGP Universal Server itself.

Caution: Changes made through the command line may not persist through reboots and may be incompatible with future releases. Symantec Technical Support may also require reverting any custom configurations on the PGP Universal Server back to a default state when troubleshooting new issues.

Use the following commands to determine the status of Consumers Key Reconstruction Block on SEMS.

Creates a list of users with keys that have a KRB:

psql -U ovidr -d oviddb -c 'select csr.name,iur.primary_email_address,iur.desktop_lastseen,csr.created,key.keyid,key.key_expiration,key.sig_expiration,key.revoked from consumer as csr left join internal_user as iur on (csr.uuid=iur.consumer_uuid) left join internal_user_key as iuk on (iur.uuid=iuk.internal_user_uuid) left join key on (iuk.keyid=key.keyid) left join key_reconstruction_block as krb on (key.keyid=krb.keyid) where krb.id is not null;' > userswithKRB.txt

Creates a list of users with keys without a KRB:

psql -U ovidr -d oviddb -c 'select csr.name,iur.primary_email_address,iur.desktop_lastseen,csr.created,key.keyid,key.key_expiration,key.sig_expiration,key.revoked from consumer as csr left join internal_user as iur on (csr.uuid=iur.consumer_uuid) left join internal_user_key as iuk on (iur.uuid=iuk.internal_user_uuid) left join key on (iuk.keyid=key.keyid) left join key_reconstruction_block as krb on (key.keyid=krb.keyid) where krb.id is null;' > userswithoutKRB.txt