Using PGP Command Line with Symantec Encryption Management Server

book

Article ID: 159237

calendar_today

Updated On:

Products

PGP Command Line

Issue/Introduction

A unique feature of PGP Command Line is that it can authenticate to Encryption Management Server using the USP (Universal Services Protocol). This is very similar to the way in which Encryption Desktop users enroll to Encryption Management Server. In this configuration, Encryption Management Server is sometimes referred to as a Key Management Server (KMS).

USP runs on https port 443 and the connection is secured with a TLS certificate.

Once authenticated, the PGP Command Line user can access their private PGP key directly from Encryption Management Server; they do not need to store the key in their local keyring. This allows for more secure key management.  When using Symantec Encryption Management Server to store keys, all keys are stored in a secured database on the server itself.

This article includes examples of how PGP Command Line interacts with Encryption Management Server over the Universal Services Protocol.

Environment

  • PGP Command Line 10.4.2 and above.
  • Encryption Management Server 3.4.2 and above.

Resolution

See the attachment PGP_Command_Line_Commands_1603298595637.xlsx for general PGP Command Line commands that apply where local keys are being used.

PGP Command Line USP options

Before accessing any of the keys on Encryption Management Server, the PGP Command Line user has to authenticate to Encryption Management Server. The authentication credentials are cached. At no point are keys stored in the local keyring.

In the examples below, the following values are used:

  • Encryption Management Server FQDN: keys.example.com
  • Encryption Management Server username: user1
  • Encryption Management Server user passphrase: mypassword
  • Encryption Management Server managed key name: "User One <[email protected]>"
  • File to sign and/or encrypt: test.txt
  • File to verify and/or decrypt: test.txt.pgp

Note that the managed key name must match exactly how it appears in the Name column of the Keys / Managed Keys page of the Encryption Management Server administration console.


Authenticate to server and cache credentials

Authenticating to Encryption Management Server is compulsory. Once the credentials are cached, there is no need to use the credentials for subsequent commands:
pgp --auth-username user1 --auth-passphrase mypass --usp-cache-auth --usp-server keys.example.com
keys.example.com:USP cache auth (0:Authentication cached)


Clear Authentication Cache

For security reasons, the PGP Command Line cached credentials can be cleared. In order to do this, run the following command:
pgp --usp-clear-cache --usp-server keys.example.com
keys.example.com:USP clear cache (0:Authentication no longer cached)


Once the cached credentials are cleared, a command like this fails:
pgp --usp-server keys.example.com --usp-cache-auth --encrypt test.txt --recipient "User One <[email protected]>"
pgp:encrypt (3090:operation failed, no secret key found)


List all users

The --search-mak switch without parameters will retrieve all users. Note that the UUID is the UUID of the managed key:
pgp --usp-server keys.example.com --search-mak
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>
0136e884-aaf1-4dc7-9351-18b99d5c5f87  SKM   User Two <[email protected]>
0399183f-ec2b-4e38-9450-bc6d706caf2f  CKM   User Three <[email protected]>

Find a user based on email address

Linux

pgp --usp-server keys.example.com --search-mak 'CI(EMAIL,"[email protected]")' 
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

Windows

pgp --usp-server keys.example.com --search-mak "CI(EMAIL,\"[email protected]\")"
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

 

Find a user based on name

Linux

pgp --usp-server keys.example.com --search-mak 'CI(COMMON_NAME,"User One")' 
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

Windows

pgp --usp-server keys.example.com --search-mak "CI(COMMON_NAME, \"User One\")" 
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

Find a user based on UUID

Linux

pgp --usp-server keys.example.com --search-mak 'EQ(UUID,"009bcd12-8528-4289-84a6-b45f3008d39d")' 
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

Windows

pgp --usp-server keys.example.com --search-mak "EQ(UUID, \"009bcd12-8528-4289-84a6-b45f3008d39d\")"
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

 

Find a Key ID based on email address

Linux

pgp --usp-server keys.example.com --search-mak --details 'CI(EMAIL,"[email protected]")' |grep 'Key ID' 
Key ID: 0x052CE77A (0x685387E0052CE77A)

Windows

pgp --usp-server keys.example.com --search-mak --details "CI(EMAIL,\"[email protected]\")" |find "Key ID"
Key ID: 0x052CE77A (0x685387E0052CE77A)

Find a user based on Key ID

Note that either the short or long form of Key ID can be used.

Linux

pgp --usp-server keys.example.com --search-mak 'EQ(KEY_ID,0x052CE77A)'
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

Windows

pgp --usp-server keys.example.com --search-mak "EQ(KEY_ID,\0x052CE77A)"
UUID                                  Mode  Name
------------------------------------  ----  ----
009bcd12-8528-4289-84a6-b45f3008d39d  SKM   User One <[email protected]>

 

Sign a file using the authenticated user's email address

Note that it is not necessary to specify the --usp-cache-auth switch.
pgp --usp-server keys.example.com --sign test.txt --signer "User One <[email protected]>"
test.txt.pgp:sign (0:output file test.txt.pgp)

 

Encrypt a file to the authenticated user's key based on email address

pgp --usp-server keys.example.com --usp-cache-auth --encrypt test.txt --recipient "User One <[email protected]>"
test.txt:encrypt (0:output file test.txt.pgp)

 

Encrypt a file to the authenticated user's key and sign based on email address

pgp --usp-server keys.example.com --usp-cache-auth --encrypt test.txt --recipient "User One <[email protected]>" --signer "User One <[email protected]>"
test.txt:encrypt (0:output file test.txt.pgp)

 

Encrypt a file to two keys and sign using email addresses

pgp --usp-server keys.example.com --usp-cache-auth --encrypt test.txt --recipient "User One <[email protected]>" --recipient "User Two <[email protected]>" --signer "User One <[email protected]>"
test.txt:encrypt (0:output file test.txt.pgp)

 

Decrypt a file using the authenticated user's key

Note that it is not necessary to specify the --usp-cache-auth switch.
pgp --decrypt test.txt.pgp --usp-server keys.example.com
test.txt.pgp:decrypt (0:output file test.txt)

 

Decrypt and verify a file using the authenticated user's email address

Note that it is not necessary to specify the --usp-cache-auth switch.
pgp --usp-server keys.example.com --decrypt test.txt.pgp --verify-with "User One <[email protected]>"
test.txt.pgp:decrypt (0:output file test.txt)

Attachments

PGP Command Line Commands_1603298595637.xlsx get_app