You can import an additional public S/MIME certificate or PGP key to an Encryption Management Server internal user account by doing the following:

1. From the administration console, click on Keys / Managed Keys.
2. Click on the Add Managed Keys button and choose Internal Users.
3. Browse to the key file or paste the key block.
4. Click the Import button.
5. The imported certificate or key will be shown as an additional CKM format key in the user's account.

If you import a public certificate or key, outgoing messages will be encrypted to that key and any other key belonging to the user.

However, when the internal user's Encryption Desktop updates its policy or the user re-enrolls, the user's SKM format key on Encryption Management Server changes to what appears to be a GKM format key. However, it is in fact an unusable, corrupt key.

If the Encryption Management Server Client log contains an entry like this then the user's SKM format key has been corrupted:

2019/02/04 15:13:05 +00:00  INFO   pgp/client[16713]:     CLIENT-00044: uploaded key Kim Smith <[email protected]>" (KeyID: 0x052CE77A) has group bit when server copy not present/valid

• Symantec Encryption Management Server 3.4 and above.
• Symantec Encryption Desktop 10.4 and above.

The most recent certificate or key that is imported for a user into Encryption Management Server always becomes the user's primary key. Corruption occurs if the primary key changes to a key other than the SKM key issued by Encryption Management Server. 

Do the following in order to ensure that the SKM key issued by Encryption Management Server remains primary:

1. Before importing an additional certificate or key for a user, export the user's SKM keypair to a file.
2. Import the additional certificate or key for the user.
3. Import the user's SKM keypair from the file you created in step 1.