Cannot upload a public key to Encryption Management Server from Encryption Desktop or PGP Command Line
search cancel

Cannot upload a public key to Encryption Management Server from Encryption Desktop or PGP Command Line


Article ID: 201374


Updated On:


Encryption Management Server Gateway Email Encryption Desktop Email Encryption File Share Encryption PGP Command Line


The Encryption Management Server Verified Directory service allows external and/or internal users to upload public keys to Encryption Management Server.

An internal user is a user whose key has an email address domain that matches any of the domains listed on the Consumers / Managed Domains page of the Encryption Management Server administration console. For example, if the Managed Domains list contains the domain, a user whose key has an email address of [email protected] is considered to be an internal user. All other keys are considered to belong to external users.

Users can upload keys to Verified Directory using its web interface.

Provided that the Encryption Management Server Keyserver service is running on the same interface as the Verified Directory service, users can also upload keys using PGP Command Line or Encryption Desktop.

PGP Command Line can upload keys over LDAP or LDAPS using the --keyserver-send switch. For example:

pgp --keyserver-send [email protected] --keyserver ldap://
pgp --keyserver-send [email protected] --keyserver ldaps://

Encryption Desktop users can upload keys by doing the following:

  1. Open Encryption Desktop. The default page is PGP Keys / All Keys.
  2. Right click on the key to upload and choose Send To.
  3. Select the name of a keyserver from the list.

By default, a managed Encryption Desktop has Symantec Encryption Server listed as one of its Send To locations. This is the Encryption Management Server that manages the client. However, attempting to upload to this location results in the error some keys could not be added to the server:

PGP Command Line may output Server is unwilling to perform errors:

# pgp --keyserver-send [email protected] --keyserver ldaps://
0x2A5147D1:keyserver send (2509:keyserver error)
ldaps:// send (3090:operation failed, Server is unwilling to perform)


Symantec Encryption Management Server, Symantec Encryption Desktop and PGP Command Line 10.5 and above.


The Symantec Encryption Server entry in the Encryption Desktop Keyservers list has a type of PGP Universal Services Protocol. It connects to Encryption Management Server over port 443. Keys cannot be uploaded using this connection, even if the Universal Services Protocol is enabled in Encryption Management Server:

Also, if the Verified Directory service and Keyserver service are not configured correctly in Encryption Management Server, neither Encryption Desktop or PGP Command Line will be able to send keys to it.



In Encryption Desktop, select Edit Keyservers from the Tools menu. Add the Encryption Management Server to Encryption Desktop as a separate Keyserver with a type of PGP Keyserver LDAP or PGP Keyserver LDAPS:

The new keyserver entry will appear in the Send To menu as one of the following, depending on whether the connection uses LDAP (port 389) or LDAPS (port 636):

  • ldap://
  • ldaps://

External user keys can then be uploaded to the new location using the Send To menu provided the Verified Directory service and Keyserver service is configured correctly on Encryption Management Server.

Starting in release 10.5.1, users can create Verified Key Directory users by uploading S/MIME certificates. This functionality needs to be enabled in order for PGP keys to be sent to the Encryption Server from Encryption Desktop, as described in article 180146 which details how to configure Verified Directory.