HOW TO: Backup the Organization Key on Symantec Encryption Management Server
search cancel

HOW TO: Backup the Organization Key on Symantec Encryption Management Server

book

Article ID: 180196

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) at the core is a keyserver and will manage all the public and private keys for an organization.  The Organization Key is used to sign all user keys and to encrypt server backups.  As such, keys that reside on the server can be exported, including the Organization Key Pair.  

This article details how to backup the Organization Key for the PGP Server. 

Resolution

As all backups are encrypted with the Organization Key, it is extremely important to back up the Organization Key. If the Organization Key is not backed it up, it is not possible to restore from backups encrypted to the Organization Key.

Important Note: Make special care to protect the organization key when exporting.  Do not allow the Org Key to be exported without a passphrase unless absolutely necessary, and if this is done, protect it so that it does not end up in unauthorized hands. 

Each PGP Encryption Server is pre-configured with a unique Organization Key generated by the Setup Assistant. If different settings for this key is needed, the Organization Key can be re-generated based on new settings, however this should only be done prior to live deployment of the server or creation of user keys by the server.

The Organization Key automatically renews itself one day before its expiration date including all of the same settings.

The Organization Key can be backed up during the initial installation of the server or by exporting the key from the PGP Encryption Server interface.

To backup your Organization Key:

  1. Log into the PGP Encryption Server administrative interface.
  2. Click the Keys tab and then click Organization Keys:
  3. Click on your Organization Key (In this example, it's called "example.com" after the domain name. The information of your key is displayed:
  4. Click Export.
  5. Select Export Keypair then click Export Keypair and enter a passphrase:


    Note: It is important to export the full keypair.  Exporting only the public portion will not allow restoration of the backup, as the keypair is what is needed to decrypt the backup.  Also, ensure the passphrase used to protect the Organization Key is not forgotten.  If the passphrase of the Organization Key is not known, it is not possible to restore a backup.
     
  6. Click Save and choose a location for your key.  The filename will be the KeyID for the Org key:

    It is useful to rename the Org Key to something that makes more sense.  Then store this in a secure location.

    This Org Key can then be used to restore backups.

Additional Information

180249 - HOW TO: Configure the Backup Location and schedule for Encryption Management Server

153588 - Restore Backup files to Symantec Encryption Management Server (PGP Server)

153318 - Restoring Encryption Management Server Backups larger than 2GB

 

 

ISFR-1907 
ISFR-1906