The PGP Encryption Server (Symantec Encryption Management Server) Key Cache stores keys that are found in inbound email messages that pass through or are looked up on a remote key server. This article will discuss some of the nuances of how key cache works.

PGP Encryption Server 10.5 and above.

The key cache is shown in the administration console under Keys / Key Cache. If the Source column for a key shows Mailflow then the key was found in an email. If the Source shows the hostname of a key server then the key was retrieved during a key lookup.

For example, keyserver.pgp.com is the hostname of the PGP Global Directory.

Keys retrieved from external key servers are, by default, purged after 1 day. Keys that are retrieved from the inbound mail flow are purged after 180 days.

Clicking on the Cache Settings button allows you to modify the number of days or hours that keys retrieved from external key servers are retained.

Important Note: It is not possible to change the purge settings for keys retrieved from the inbound mail flow. 

In other words, if an SMIME email comes inbound to the PGP Encryption server, and the key is cached (in Key Cache), this cached key does not get purged per the Key Cache Settings configuration and is hardcoded at 180 days.

Only keys that are cached via Keyserver searches are cached and then get purged per the key cache settings. 

Keys in the cache can be manually deleted or imported. If they are imported, an external user will be created.

158748 - Key Cache with PGP Encryption Server FAQ (Caching Keys for inbound email - Symantec Encryption Management Server)

162609 - The PGP Encryption Server Key Cache purge routines differ depending on how keys are retrieved (Symantec Encryption Management Server)

233835 - The PGP Encryption Server is not Encrypting to cached keys (Symantec Encryption Management Server)