ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

HOW TO: Remove an Additional Decryption Key (ADK)


Article ID: 180197


Updated On:


Symantec Products




This article describes how to remove an Additional Decryption Key (ADK) from a PGP key.

An additional decryption key (ADK) is a key generally used by security officers of an organization to decrypt messages that have been sent to or from employees within the organization.

Messages encrypted by a key with an ADK are encrypted to the public key of the recipient and to the ADK, which means the holder of the ADK can also decrypt the message.

An Additional Decryption Key (ADK) is a way to retrieve an email message or other encrypted data if the recipient is unable or unwilling to do so and if required by regulation or security policy. Every message sent by an internal user is also encrypted to the ADK. Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK. The ADK is also added to disks encrypted with PGP Whole Disk Encryption.

If you have an Additional Decryption Key uploaded, all outbound email is encrypted to it when mail policy is applied. This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled.

If you use an ADK, PGP Universal Server adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.

Note: When using an ADK on your server, ALL user keys added after the ADK is imported will have an ADK associated with their key. You cannot remove or delete the ADK from a single user key in a PGP Universal Server managed environment.

If you are going to use an ADK on your PGP Universal Server, you should import it prior to generating any user keys. You should also try to avoid changing to a different ADK later on, because doing so results in some keys being associated with the old ADK and some with the new ADK. If you add or change an ADK, it is only associated with the keys of new users. Existing users do not get that ADK added to their key.

Note: ADKs are rarely used or needed outside of a PGP Universal Server-managed environment.

If you have added an ADK to your key in a stand-alone environment, use the following steps to remove an ADK from your key.

To remove an ADK

  1. Select the ADK you want to remove from the list of ADKs. The selected ADK highlights.
  2. Click the minus sign icon. A PGP Warning dialog box is displayed, asking if you are sure you want to remove the ADK.
  3. Click OK to remove the ADK. The ADK is removed.