Encryption Desktop lets you search for keys using various criteria including email address. By default, an Encryption Desktop client managed by Encryption Management Server will search:

1. The PGP Global Directory - keyserver.pgp.com.
2. The Encryption Management Server that manages the client.

In practice, most Windows machines will be blocked by the organization's firewall from making direct LDAP connections to keyserver.pgp.com so Encryption Management Server will attempt to carry out the search on the client's behalf.

However, if a user searches for an email address such as [email protected], Encryption Management Server will not attempt to search keys.example.com on behalf of the client.

If the client attempts to send an encrypted email to an email address such as [email protected] then the behavior is different; Encryption Management Server will attempt to search keys.example.com on behalf of the client.

A warning like this is logged under Reporting / Logs / Client in the Encryption Management Server administration console:

USP-00001: skipping keyserver keys.$ADDRESS_DOMAIN because there is no domain was provided for hostname expansion

This is by design. Searching for keys uses a different process than trying to send an encrypted email.

• Symantec Encryption Desktop 10.3 and above.
• Symantec Encryption Management Server 3.3 and above.

Do not assume that because you cannot find the recipient's key using a key search on email address that the recipient has no key.

Try to send an encrypted message to the recipient. By default, if the user's email address is [email protected], this will cause Encryption Management Server to try to search for the recipient's key on the host keys.example.com.