Note: This article pertains to PGP Admin 8.x which has reached an End of Support Life (EOSL).
This article defines the Additional Decryption Key (ADK) in PGPAdmin 8.x, gives instructions for assigning ADKs, and makes recommendations for its usage.
An Additional Decryption Key (ADK) is a powerful PGP keypair which allows an organization to decrypt emails, files, and PGPdisks which were encrypted to, or by, someone in the organization. When an ADK is enabled and enforced in an organization, encryption to a user's public key requires encryption to the ADK as well. This allows the owner(s) of the ADK to decrypt a given user's encrypted data without that user's authorization. This ensures that if an employee leaves the organization or must be monitored for any reason, their encrypted data may be decrypted using the ADK.
Types of ADKs
There are three types of ADKs available in PGPAdmin 8.x. Their names and descriptions are as follows:
|Note: Because the ADK allows an organization to decrypt data without the authorization of the users in the organization, it is strongly recommended that the ADK be split among several trusted system administrators, and that a reasonable number of administrators be required to rejoin the key.
Designate an ADK
|Caution: If you do not enforce the ADK, users will not be required to encrypt to the ADK.|