Backup the Organization Key on the PGP Encryption Server (Symantec Encryption Management Server)

Products

Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) at the core is a keyserver and will manage all the public and private keys for an organization. The Organization Key is used to sign all user keys and to encrypt server backups. As such, keys that reside on the server can be exported, including the Organization Key Pair.

This article details how to backup the Organization Key for the PGP Encryption Server.

Resolution

As all backups are encrypted with the Organization Key, it is extremely important to back up the Organization Key. If the Organization Key is not backed it up, it is not possible to restore from backups encrypted to the Organization Key.

Important Note: Make special care to protect the organization key when exporting. Do not allow the Org Key to be exported without a passphrase unless absolutely necessary, and if this is done, protect it so that it does not end up in unauthorized hands.

Ignition Keys are also linked to the Org Key, so if the Ignition Key password cannot be entered, the passphrase and Org Key can unlock the system.
For more information on Ignition Keys in case a server is rebooted, see the following article:

153393 - The Ignition Key Passphrase must be entered after a PGP Encryption Server is rebooted (Symantec Encryption Management Server)

Each PGP Encryption Server is pre-configured with a unique Organization Key generated by the Setup Assistant. If different settings for this key is needed, the Organization Key can be re-generated based on new settings, however this should only be done prior to live deployment of the server or creation of user keys by the server.

The Organization Key automatically renews itself one day before its expiration date including all of the same settings.

The Organization Key can be backed up during the initial installation of the server or by exporting the key from the PGP Encryption Server interface.

To backup your Organization Key:

Log into the PGP Encryption Server administrative interface.
Click the Keys tab and then click Organization Keys:
Click on your Organization Key (In this example, it's called "example.com" after the domain name. The information of your key is displayed:
Click Export.
Select Export Keypair then click Export Keypair and enter a passphrase:

Note: It is important to export the full keypair. Exporting only the public portion will not allow restoration of the backup, as the keypair is what is needed to decrypt the backup. Also, ensure the passphrase used to protect the Organization Key is not forgotten. If the passphrase of the Organization Key is not known, it is not possible to restore a backup.
Click Save and choose a location for your key. The filename will be the KeyID for the Org key:

It is useful to rename the Org Key to something that makes more sense. Then store this in a secure location.

This Org Key can then be used to restore backups.