The Symantec Encryption Management Server (PGP Server) Verified Directory (VKD) service allows internal or external users to upload their public keys using a web interface running on HTTP or HTTPS.
It also allows users running Symantec Encryption Desktop (PGP Desktop) or PGP Command Line to upload public keys to Encryption Management Server. However, this is only available over LDAP or LDAPS and it also requires the Keyserver service to be enabled.
The Verified Directory service is disabled by default.
Depending on the Vetting Method that is configured, Verified Directory sends verification messages to the email addresses of the keys that are submitted to it. If the key owner responds to the verification message with permission to add the key, then the key is added to the directory.
Clearly, if an internal user submits a third party's public key to Verified Directory then the email Vetting Method is not appropriate because the third party would receive verification emails.
Published user keys are signed by another key. Keys submitted by internal users are signed by the Encryption Management Server Organization Key. Keys submitted by external users are signed by the Verified Directory Key. Prior to enabling Verified Directory, you must upload a Verified Directory key by navigating to Keys / Organization Keys and clicking on the button to upload a Verified Directory Key. This key pair should be created on a standalone system running PGP Command Line or Encryption Desktop.
The Verified Directory web interface allows users to search the directory for the public keys of persons to whom they want to send secured messages.
Once a key that has been uploaded using Verified Directory is published, it is available for use in encryption in the same way as the keys of External Users. However, unlike External User keys, Verified Directory keys are not replicated to other cluster members.
Important Note about VKD Signing Keys: Before you can properly use Verified Directory, you need a VKD Signing key. Ensure this key does not have an expiration date for the near future as this will cause keys uploaded to the VKD to be removed. We recommend choosing an expiration date a few years in advanced so that you never have to worry about this.
The PGP Server has always allowed the upload of PGP keys to the portal. Starting with PGP Server 10.5.1, there is new functionality to allow the upload of SMIME Certificates to the portal.
To be able to do this, there is a preference that needs to be enabled (disabled by default).
To do this, you would modify the prefs.xml making the allow-smime-cert-import parameter "true".
There is no need to restart services.
If you would like assistance making this change, please reach out to Symantec Encryption Supportand we can assist in doing this.
Internal user keys submitted through Verified Directory are replicated throughout a cluster. However, submitted external user keys are not replicated.
To make sure these keys are replicated across your cluster, you can manually add Verified Directory user keys to the external user list. Export the Verified Directory user keys, then re-import them into the External Users page.
You can also make sure external user Verified Directory keys are always available by building an Encryption Management Server to function as a dedicated Verified Directory server. Make sure that you add the Verified Directory server to your list of searchable key servers for any mail policy rule that requires it.