ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Verified Directory can allow internal users to overwrite their own private keys

book

Article ID: 185083

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

Encryption Management Server Verified Directory optionally allows internal users to submit PGP keys.

An internal user is a user whose key contains an email domain that is listed under Consumers / Managed Domains in Encryption Management Server. For example, if the user's key has an email address of [email protected] and example.com is listed under Consumers / Managed Domains, that user is regarded as an internal user.

Verified Directory only stores public keys. If a private key is uploaded, only the public key is saved.

If an internal user submits their key with the same key ID as the key already associated with their account, the user's existing private key is replaced with the uploaded public key.

Environment

Symantec Encryption Management Server 3.3.2 MP13 and above with the Verified Directory service enabled.

Resolution

To avoid internal users effectively overwriting their own private keys, do one of the following:

  1. Do not allow Verified Directory submission by internal users. This is the default setting. If required, encourage internal users to submit their keys to the PGP Global Directory. Encryption Management Server searches the PGP Global Directory by default and it can also be searched by anyone using a web browser.
  2. Install a separate Encryption Management Server. Ensure all of the organization's email domains are listed under Consumers / Managed Domains. You can then permit internal users to submit their keys using Verified Directory.