HOW TO: Re-enroll Symantec Encryption Desktop for Linux Clients


Article ID: 181366


Updated On:


Symantec Products




Please see article HOWTO42122 for information on how to Install Symantec Encryption Desktop (SED) for Linux, which also contains information on how to enroll a client on the Linux operating system.


When Symantec Encryption Desktop (SED) for Linux is enrolled and configured, a file in the .pgp directory, which is located in the user's home directory, is created called PGPprefs.xml.   The PGPprefs.xml file contains all the configuration information pertaining to the client.  If the SED client is enrolled to a Symantec Encryption Management Server (SEMS), then all policy to the client is controlled by this PGPprefs.xml file.


In some cases, it may be necessary to re-enroll an SED client for Linux.  This article explains how to do so:


*Symantec Encryption Desktop has been installed on the Linux client.


Re-enrolling to the Symantec Encryption Management Server for a client configured by SEMS (managed client)


1. Navigate to the .pgp directory where the PGPprefs.xml file is stored:

cd ~/.pgp

2. The location should now be in /User's-Profile/.pgp.

3. If the original PGPprefs.xml file is needed for any reason, back it up to a new location, otherwise, remove it:

rm PGPprefs.xml

A prompt will appear to confirm removal of the PGPprefs.xml file.  If a prompt to remove any other files appears, enter "n".  Otherwise, enter "y" to confirm removal of the PGPprefs.xml file.

4. Run the following command to re-enroll the SED client:

pgpenroll --enroll

5. Enter the username and password of the user to enroll to.

6. Once enrolled, it will now be configured with the policy managed by the SEMS.

7. Run the following command to confirm communication to the SEMS is successful:

pgpenroll --check-enroll

If communication is not successful, a message similar to the following will occur:

Error code -11097: connection not available.

If the feedback to this command ends with "Done.", then communication to the server is successful.


Enrolling to a different Symantec Encryption Management Server, or converting from standalone to managed

If enrolling to a SEMS that has a different hostname than the SED client originally enrolled to, use follow these steps:

1. Navigate to ~/.pgp as described in the above steps.

2. Grep the PGPprefs.xml file to confirm which SEMS this client is configured to enroll to:

grep -i ovid PGPprefs.xml

This will return a string value and will list the hostname the SED the client is currently configured to.  The hostname following "ovid=" is the name of the SEMS server the SED client is communicating with.  If this is different than the SEMS needed, move or remove the PGPprefs.xml so a new file can be created as described in the previous steps.

3. Run the following command to re-configure the new hostname (Note: must be run as root):

pgpconfigure "ovid=FQDN-of-new-SEMS-here&mail=*&admin=1"

4. Reboot the machine.

CAUTION: It is important to reboot after running the "pgpconfigure" command.  Failing to do so will prevent the Symantec Encryption Desktop client from sending Drive Encryption data, such as the hostname of the machine being encrypted, to the SEMS.  Subsequent reboots will eventually send the logging data, but the timing for when this data will show up on the SEMS cannot be guaranteed.  As a result, it is necessary to reboot the client machine directly after the "pgpconfigure" command has been run, making the stand alone client, a managed installation, or enrolling to a new SEMS.


5. Now that the system has been rebooted, run the enrollment command to enroll to this new hostname and follow prompts as specified in previous steps

pgpenroll --enroll

Note: If pgpconfigure does not run, or says pgpconfigure: command not found, the actual script is located in /usr/sbin/ and can be run from that path, such as the following command:

/usr/sbin/pgpconfigure "ovid=FQDN-of-new-SEMS-here&mail=*&admin=1"