You can import an additional public S/MIME certificate or PGP key to an Encryption Management Server internal user account by doing the following:
If you import a public certificate or key, outgoing messages will be encrypted to that key and any other key belonging to the user.
However, when the internal user's Encryption Desktop updates its policy or the user re-enrolls, the user's SKM format key on Encryption Management Server changes to what appears to be a GKM format key. However, it is in fact an unusable, corrupt key.
If the Encryption Management Server Client log contains an entry like this then the user's SKM format key has been corrupted:
2019/02/04 15:13:05 +00:00 INFO pgp/client[16713]: CLIENT-00044: uploaded key Kim Smith <[email protected]>" (KeyID: 0x052CE77A) has group bit when server copy not present/valid
The most recent certificate or key that is imported for a user into Encryption Management Server always becomes the user's primary key. Corruption occurs if the primary key changes to a key other than the SKM key issued by Encryption Management Server.
Do the following in order to ensure that the SKM key issued by Encryption Management Server remains primary: