ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to set up a single, central, company-wide PGP key for Email Encryption


Article ID: 181092


Updated On:


Symantec Products




It may be desirable to have a single PGP key that can be shared with an external recipient party to secure email for the whole organization or company. This setup applies to configurations where Symantec Encryption Desktop (formerly known as PGP Desktop) is used on each end user's machines.  In other words, the Symantec Encryption Desktop client is installed on each end user's machine, has the Messaging component of encryption enabled in policy, and each end user has control of the private portion of the key imported to each system.


Using a single encryption key in this way has several considerations:


  • This is not an officially supported use of the Symantec Encryption products and Symantec Support may not be able to help resolve any unforeseen issues that may occur as a result.   Using this is doing so on an AS-IS basis and At your own risk.


  • Although using encryption keys in this way is possible, it is not recommended.  It is highly recommended that each end user has his/her own encryption key, creating during the normal enrollment process and can be managed by the Symantec Encryption Management Server (SEMS - formerly known as PGP Universal Server), for which the Symantec Encryption solution was originally intended/designed.  Using this method and having each user own the same key pair prevents the SEMS from managing the key efficiently.  It is not possible to specify a mail rule on the SEMS stating email should be decrypted using a specified key.  This is the reason the Symantec Encryption Desktop client must be used, and the reason this is not a technically supported/advised method of encryption.


  • Using this method has its own security implications, such as once a user has the encryption key, there is no controlling what the end user does with the key going forward, as it is not a managed key.  It would then be possible for the end user to export the keypair and use it as the user wishes at any point in the future, whether the user should have access to the key any longer or not (including exporting the keypair and distributing to other internal users who may not be authorized to possess the key. 


  • Encrypting to a single key for an entire domain also means that for best security practice, if one of the users leaves the company, it would be recommended to no longer encrypt to that key specific key, and create a new key to take its place and distribute to each internal user once again.  It would also be necessary to notify each external recipient domain encrypting to this key that the old key must no longer be used, and the new key should be used going forward--this is a manual operation. If this is still desired, creating a new key will at least force encryption to keys only existing internal users would have, and not the old keys.  However, as mentioned, this is not entirely manageable, and security cannot be guaranteed.


  • This method does not support s/mime encryption and can only be used to encrypt to PGP keys.



If the above has been considered, and it is still desired to use a single key to encrypt all incoming email, follow the rest of this document:



1. Under Consumers/Groups click the desired group, click "View" at "Keys"

2. Click "Add Group Keys"

3. Generate or import the desired Group Key here.

Important note: The key created should not have an email address associated to it.  Doing so could conflict with other keys that already exist on the SEMS which have the same email address, and could cause confusion as to which key should be used to encrypt to.  Also, when providing the key to the external user, they will not need to associate the key to any particular email address, such as [email protected], as the key will be used with a specific rule on their encryption server.

4. Under Consumers/Groups click the desired group, click "View" at "Permissions"

5. The two required permissions of the key must be, "Can encrypt with managed key Company.key" and "Can decrypt with managed key Company.key".

6. Share this single key that has been designated, with the external sender (this is a manual process) for encryption to take place.  The external recipient performing encryption to this single key is required to configure a mail rule on their encryption server to encrypt to this key whenever sending to your domain.


CAUTION: It is important to export only the public portion of the key to send to the recipient domain.  If the private portion of the key is sent over email, this could lead to the key being compromised.  To see whether the key file exported contains only the public portion, open the key.asc file with a text editor, such as notepad ++.  If the file contains "-----BEGIN PRIVATE KEY BLOCK-----" anywhere in the file, it is the keypair and contains the private portion of the key.  Re-export the key using only the public key option, and then reconfirm only "-----BEGIN PUBLIC KEY BLOCK-----" appears in the cipher block of the key.


If the external recipient domain is also using a Symantec Encryption Server, see article TECH149885 for information on configuring mail rules to encrypt to this single key.