search cancel

Key Cache with Encryption Management Server FAQ (Caching Keys for inbound email)


Article ID: 158748


Updated On:


Encryption Management Server Gateway Email Encryption


This article will go over some of the FAQs for Key Cache, or "Caching Keys" on Symantec Encryption Management Server (SEMS).

One of the core features of SEMS is that of being a keyserver.  Keys are managed by the SEMS for further use via key lookups/searches from various sources.  Having keys on the local SEMS speeds up encryption operations as there is no need to search for keys elsewhere.  One of the methods to benefit from this speed of using these keys is to cache keys on the "Inbound" mailflow.  If someone sends an SMIME email and SEMS processes it, the SMIME key is typically attached to the email and it is then cached on SEMS in its own Key Cache.  Keys are cached temporarily (configurable duration) so that further messages to these recipients can be encrypted, and the key lookup process will find the key quickly in the local key store and the overall process is faster. 


Symantec Encryption Management Server 10.5 and above.


The Key Cache on SEMS can be accessed by going to Keys, and then clicking on "Key Cache":


Question 1: Do keys in the Key Cache get purged periodically?
Answer: Yes, they are cleaned out after 1 day by default.


For additional information, see the following article:

162609 - Symantec Encryption Management Server (SEMS) Key Cache purge routines differ depending on how keys are retrieved

Question 2: What is the Max Duration for the Key Cache on SEMS?

Answer: The lowest value keys can be cached is 1 hour and the maximum value configurable for this is 999 days.

Important Note: Keys that are cached via Keyserver lookups or other methods will purge after this value configured; however, keys that are cached via "inbound mail" will not be honored with this setting.  Instead, keys that are cached via the inbound mailflow will be cached for 180 days per a hard-coded setting.  

As an example, if the SMIME key is harvested via an inbound email, this method is harvested as a source of "mailflow":

In this example, the keys should be cached for 180 days and then purged regardless of the Cache Settings parameters. 

For more information on this behavior, see the following article:

162609 - Encryption Management Server Key Cache purge routines differ depending on how keys are retrieved

Question 3: I have my server in the mailflow, but it's not caching keys--why?

Answer: In order for the keys to be cached, the email containing the key must be an "Inbound" message.  In other words, the SEMS does not harvest keys that are sent "Outbound" as typically all the keys for users sending outbound already exist as "Internal Users" on the SEMS.  Only Inbound emails will harvest these keys.

Question 4: I have an email that came from an external domain, why is it still not caching it?

Answer: Depending on how the proxies of SEMS are configured, the email from an external recipient may be interpreted by SEMS as an "Outbound" message.  If the Proxies are configured with an MTA that is the inbound and outbound connector into SEMS, then having two interfaces on the SEMS with different IP Addresses is recommended.  In this way, the messages for "Inbound" always go to the Inbound IP, and the messages destined for the external domains will always use the Outbound IP Address.

Question 5: Should I purge the Key Cache before the timeout value is reached?

Answer: If you know a single key has been updated, then delete the single key in question from the Key Cache.

Question 6: Immediately after I created a cluster member, the cached keys on the host server are removed and are not replicated.

Answer: The timeout value for cached keys has expired.  After one or more servers are joined to the host server during the creation of a server cluster, one of the services checks the cached key timeout setting as it restarts. If the current date minus the keys’ create date exceeds the defined timeout value, the service flushes the key cache.

Question 7: I have keys cached, but when I send email outbound, the message is not getting encrypted.

Answer: The PGP server will encrypt automatically to cached keys if the keys are cached via a keyserver search.  The PGP server will not encrypt to keys by default if they are observed in the mailflow.  For more information on how to get this to work, see the following article:

233835 - Symantec Encryption Management Server is not Encrypting to cached keys


Additional Information

162609 - Encryption Management Server Key Cache purge routines differ depending on how keys are retrieved

233835 - Symantec Encryption Management Server is not Encrypting to cached keys


ISFR-2131 - Include automatic Smart Trailer functionality for Cached Keys
For this feature request, keys that are cached could be sent to external recipient to opt in to this server for future emails.
To be added to this request, reach out to Symantec Encryption Support and provide this ID.