Note: This article pertains to PGP Admin 8.x which has reached an End of Support Life (EOSL).
This article defines the Additional Decryption Key (ADK) in PGPAdmin 8.x, gives instructions for assigning ADKs, and makes recommendations for its usage.
An Additional Decryption Key (ADK) is a powerful PGP keypair which allows an organization to decrypt emails, files, and PGPdisks which were encrypted to, or by, someone in the organization. When an ADK is enabled and enforced in an organization, encryption to a user's public key requires encryption to the ADK as well. This allows the owner(s) of the ADK to decrypt a given user's encrypted data without that user's authorization. This ensures that if an employee leaves the organization or must be monitored for any reason, their encrypted data may be decrypted using the ADK.
Types of ADKs
There are three types of ADKs available in PGPAdmin 8.x. Their names and descriptions are as follows:
- ADK for incoming messages - This ADK requires that users encrypt all incoming messages to the ADK (in addition to the intended recipient's key).
- ADK for outgoing messages - This ADK requires that users in the organization encrypt all outgoing messages to the ADK (in addition to the intended recipient's key). Also, if users encrypt files on their local hard drive, they must encrypt them to the outgoing ADK.
- ADK for PGPdisk - This ADK requires that all newly-created PGP disks be encrypted to the ADK.
|Note: Because the ADK allows an organization to decrypt data without the authorization of the users in the organization, it is strongly recommended that the ADK be split among several trusted system administrators, and that a reasonable number of administrators be required to rejoin the key.
Designate an ADK
- Open PGPAdmin by clicking Start > Programs > PGP > PGPAdmin.
- Click the button labeled Administrative Options.
- From the drop-down menu of the ADK tab, select the type of ADK (incoming messages, outgoing messages, or PGPdisk).
- Check the Enable ADKbox for the type of ADK you selected.
- Check the Force ADK box for the type of ADK you selected.
|Caution: If you do not enforce the ADK, users will not be required to encrypt to the ADK.
- From the list of keys, select the keypair which will be the ADK.
- Choose whether to enforce remote ADK strictness (this will enforce the ADK policies of outside organizations).
- Repeat steps 4-8 if you need to enable/enforce either of the remaining type(s) of ADK.
- If you wish to save the preferences to the local computer, click Apply and OK. If you do not wish to save the preferences to the local computer, click OK.
- If you do not save the preferences to the local computer, you will be prompted to send the preferences to the server (PGP Keyserver) when you attempt to close PGPAdmin. If you opt not to send the preferences to the server, your preferences will not be saved.