HOW TO: Skip PGP Key Creation During Enrollment


Article ID: 180250


Updated On:


Symantec Products




This article details how to not prompt internal users to enter a passphrase for keys during client enrollment.


Administrators can configure clients to use Server Key Mode (SKM) so that users are not prompted to create a key passphrase during client enrollment. In Server Key Mode (SKM), the PGP Universal Server generates and manages user keys and no passphrase is assigned to the key. The SKM key mode includes the following characteristics:


  • Users cannot manage their own keys.
  • PGP Universal Server administrators have access to private keys.
  • If a user has a PGP client installation, the user's keys are downloaded to the client at each use.
  • SKM can also be used without client installations; if there is no client installation, you must use SKM.
  • Users with SKM keys cannot read email offline when using a version below 3.2/10.2 (which implemented "offline SKM")
  • PGP NetShare does not support SKM on versions below PGP Desktop 10 and Universal Server 3.0.1
  • In PGP Universal Gateway Email environments, existing users with SKM key mode keys who install PGP Desktop for the first time will be prompted automatically to re-enroll and create a CKM, GKM, or SCKM key.

To enable Server Key Mode (SKM) for clients


  1. Login to the PGP Universal Server administrative interface.
  2. Click Policy > Internal Users.
  3. Select the desired user policy then click Edit next to Key Settings.
  4. Click Management. The available key mode options are displayed.
  5. Place a checkmark next to Server Key Mode (SKM) and remove any other key modes checked.
  6. Click Save twice.

Clients of the internal user policy will not be prompted to enter a passphrase during enrollment.