Using Verified Directory to search for and import external user public keys from Encryption Management Server using PGP Command Line

book

Article ID: 170063

calendar_today

Updated On:

Products

PGP Command Line Encryption Management Server

Issue/Introduction

PGP Command Line can search for the public keys of Internal users on Encryption Management Server using the LDAP or LDAPS protocol and import them into its keyring. However, it cannot search for or import  the public keys of External users.

Cause

This is by design.

Environment

  • Encryption Management Server 3.3 or above running the Keyserver service.
  • PGP Command Line 3.3 or above.

Resolution

In order to search for and import the public keys of External users with PGP Command Line, there are two options:

  1. Use the USP (Universal Services Protocol) with PGP Command Line as described in article TECH213984.
  2. Configure Verified Directory on Encryption Management Server as described in article HOWTO41985 and use the LDAP or LDAPS protocol with PGP Command Line.

By default, Internal users do not have permission to submit keys to Verified Directory. Verified Directory Users are allowed to submit keys and their default Vetting Method is Email. Change this Vetting Method to Implicit if it will only be administrators who import the external user keys.

As per article HOWTO41985 in order to use Verified Directory, a Verified Directory Key needs to be imported from the Keys / Organization Keys menu of the admin console. For convenience, if the administrators are creating the Verified Directory users, this should be a key that does not expire.

Once the Verified Directory service is configured, the Consumers / Users menu in Encryption Management Server will contain a Verified Directory Users sub menu. From this page, click on the Add Verified Directory Users button to add the public key of external users.

Note that the Verified Directory service runs on HTTP port 80 by default. It allows external users to add their own keys to Encryption Management Server via a web page. If the only reason for enabling Verified Directory is to allow administrators to add external user keys and for PGP Command Line to import those keys, the Verified Directory service can be paused by clicking on the Pause button from the Services / Verified Directory menu of the admin console. So too, the default port can be changed if it conflicts with another service running on the same network interface.

To search for the Verified Directory users using PGP Command Line, use a command like this where symantec.com is the email domain of the user to search for and keys.example.com is the keyserver service on Encryption Management Server. Note that in this example LDAPS is being used for the search but it is also possible to use LDAP:

pgp --keyserver-search symantec.com --keyserver ldaps://keys.example.com

The search results will show the Key ID of each user. To import a specific key, use the following command:

pgp --keyserver-recv 0x26C84179 --keyserver ldaps://keys.example.com