Products

PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

PGP Command Line is an effective tool for securing data. It can encrypt and sign data, as well as decrypt and verify data.

PGP Command Line is vastly scalable, the more resources you use, the more efficient PGP Command Line will be.
This makes it the perfect solution for any encryption job, small or massive.

Important Note: PGP Command Line 11.5.1 now includes license management capabilities that require registering to a PGP Encryption Server 11.5.1.
Before upgrading to PGP Command Line 11.5.1, first ensure the license for PGP Encryption Server 11.5.1 is uploaded successfully.

For information on how to download Symantec Encryption products and other related topics, see the following articles:

193931 - Downloading Symantec Encryption products from the Broadcom download Portal
206503 - Finding your license number for Symantec Encryption products

156303 -Latest Symantec Encryption Products Versions
175951 - Entering your License information for PGP Encryption Server (Symantec Encryption Management Server)
276507 - Entering your License information for Symantec Endpoint Encryption version 12 and above
180234 - Entering your license information for PGP Command Line
180213 - Entering your License information for PGP Encryption Desktop (Symantec Encryption Desktop)

Resolution

Section 1: How licensing works with PGP Command Line
Section 2: Using a license .slf file to enable PGP Command Line functionality
- PGP Command Line 11.5.1 GA and above
Section 3: Troubleshooting with PGP Command Line 11.5.1
Section 4: PGP Command Line 10.5.0 through 11.5.0 with a 28-digit license string

Section 1: How licensing works with PGP Command Line

PGP Command Line is licensed per server. For more details on this licensing, see the following article:

153245 - Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)
A server is defined as either a production system, development box, or test box. All require a license to enable all the functionality.
If you have one production server, and one non production server, you would purchase 2 copies of PGP Command Line.0

Section 2: Using a license `.slf` file to enable PGP Command Line functionality

A license number is used to enable functionality with PGP Command Line. Pay close attention to the version being licensed, as there are two methods to enter a license number currently.
One method uses a 28-digit string and the method 11.5.1 uses incorporates a license .slf file and used in conjunction with the PGP Encryption Server.

PGP Encryption Server 11.5.1 can now be used to centrally manage PGP Command Line 11.5.1 deployments. New license management functionality exists to help you know where each registered server is located.

PGP Command Line 11.5.1 GA and above

PGP Command Line requires a valid license to enable full functionality. PGP Command Line uses server-based licensing managed through the PGP Encryption Server.
Starting with version 11.5.1, new license management functionality allows administrators to know where each installation of PGP Command Line is deployed through license management.

PGP Encryption Server 11.5.1 now provides an easy way to see each registered PGP Command Line client and their registration status.
The following screenshot will display useful information to help manage each deployment and help you keep track of where each installation is located:

In the example above, the "OS Type" is Windows, and the machine hostname is "pgp.example.com" where PGP Command Line is installed and registered.
You can also see when the PGP Command Line was last registered and when it last communicated with the PGP Encryption Server.

As you register more installations of PGP Command Line, additional entries will show up.
Each copy of PGP Command Line can be installed on one server. If you own 10 copies of PGP Command Line, you can install on 10 servers.
Each copy of PGP Command Line includes full key management capabilities used with PGP Encryption Server.
For more information on this key management functionality, see the following article:

159237 - Using PGP Command Line with PGP Encryption Server for Centralized Key Management (KMS, or USP)

As with other Broadcom products, PGP Command Line 11.5.1 and above use a license .slf file that is uploaded to the PGP Encryption Server.
Once the license .slf file is uploaded to the PGP Encryption Server, the following command can then be run to enable all functionality of PGP Command Line:

pgp --register <hostname or server IP>

If the FQDN of the PGP Encryption Server is keys.example.com, then the following command would be run:

pgp --register keys.example.com

When successful, a message similar to the following will be displayed:

To show if the PGP Command Line was successfully licensed, run "pgp --version -v" and look for "License Information":

The "Valid" status indicates the license was successfully authorized.

Periodically, the PGP Command Line will automatically perform a license validation with the PGP Encryption Server for continued functionality.
It is important that the communications between the PGP Encryption Server and PGP Command Line remain open.

To manually refresh the registration, which is forcing a "check-in", run the following command:

pgp --license-refresh

When successful, the following message will appear:

"Successfully refreshed license token. New Status: valid."

This indicates everything is working properly.

Tip: Since this --license-refresh command exists, it's a good idea to incorporate this into your scripts so that if any status other than "New Status: valid", your script logic will alert you to this fix.
Then you can fix the license status as soon as possible.

With the inclusion of PGP Encryption Server for license management, the Daily Status Email will now include details about PGP Command Line.
If you have expired licenses, the Daily Status Emails will provide information on these.

Important Note: It is a good idea to keep track of when your licenses are going to expire.
Before they expire, make sure you upload a new .SLF file that has a new expiration date so that PGP Command Line never enters an "Invalid" or "Expired" state.
Doing so can affect production.

Section 3: Troubleshooting with PGP Command Line 11.5.1

Item 1: Invalid TLS Certificate Warning
If the license registration command is entered, and you get a TLS certificate warning, such as the following, it is recommended to investigate why the TLS certificate was not trusted:

The message above indicates that the PGP Encryption Server currently uses a TLS certificate which is not trusted by the system where PGP Command Line is installed.

Check the fingerprint and ensure the Root and/or Intermediate Certificates are fully trusted and validated in the local certificate store.

If you type "y" as shown in the above message, it means you recognize the TLS certificate fingerprint and want to trust the certificate anyway.
This is not recommended, and you should troubleshoot why the TLS certificate was not recognized.
Work with the PGP Encryption Server Administrator to establish proper validity and then attempt registration again until the certificate shows as fully trusted and no longer prompts to accept the invalid certificate.

Item 2: Key Management Server License Only
If the only license number uploaded to the server is for the PGP Command Line .slf, the only features that are enabled will be "PGP Command Line" and "Key Management Server":

Item 3: Communication Interval
The PGP Command Line will check in every 24 hours.
If the connection is not available, do your best to re-establish that connection to prevent functionality from being reduced.

Tip: Since this --license-refresh command exists, it's a good idea to incorporate this into your scripts so that if any status other than "New Status: valid", your script logic will alert you to this fix.
Then you can fix the license status as soon as possible.

Item 4 Daily Status Email
The Daily Status Email will inform you that the PGP Command Line license has expired.

Item 5: Concurrent Sessions
If you have a server running commands on one server, then you cannot run multiple commands from another server at the same time.
Doing so would require you to use another license for another server.

Item 6: Already registered with server: 192.168.1.100
If a PGP Command Line host has previously registered to the server, and you run the register command again, you'll get this message.
This is a benefit to the PGP Encryption Server to centrally manage because the host for PGP Command Line is already added to the server and indicates the entry is already on the PGP Encryption Server.

Section 4: PGP Command Line 10.5.0 through 11.5.0 with a 28-digit license string

pgp --license-authorize --license-number "Your license here"

If you are replacing an existing license you will need to add the following switch at the end of the command, which will replace the license number with the new one entered:

--force

If you receive the following output, it occurs when PGP Command Line was already authorized.

pgp: license authorize (2706:PGP Command Line already has a license)

If you need to replace the license number, add the "--force" option to your command:

pgp --license-authorize --license-number "Your license here" --force

Licensing PGP Command Line for Linux

If you are going to be issuing encryption/decryption commands with other profiles on a system, we recommend licensing the product as the "root" account. When this is done, all the profiles will receive the license status skipping the need to license on each individual profile.

For best operation, license as "root", otherwise, you will need to license each individual user profile separately.