Best Practices for PGP Encryption Keyserver service (Symantec Encryption Management Server)
search cancel

Best Practices for PGP Encryption Keyserver service (Symantec Encryption Management Server)

book

Article ID: 214468

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The PGP Encryption Server Keyserver service allows remote lookups of PGP public keys and S/MIME certificates over LDAP (port 389) and LDAPS (port 636) either from the internal network or over the Internet.

It is enabled by default.

However, for many environments, it is not needed. Best security practice is to reduce the attack surface by disabling services that are not required.

Note that PGP Encryption Server 10.5 MP2 was patched to mitigate CVE-2020-25692 which affects the Keyserver service. See article 157729 for further details.

Environment

PGP Encryption Server 3.4.2 and above with the Keyserver service enabled.

Resolution

Table of Contents

By default, PGP Encryption Desktop (Symantec Encryption Desktop) clients do not use the Keyserver service in order to lookup keys.

Instead, all key lookups are done over HTTPS. Managed installations of PGP Command Line also search for keys over HTTPS by default.

The Keyserver service is required only if:

  1. Remote Internet hosts are permitted to search for keys or certificates on the Encryption Management Server.
  2. Unmanaged installations of PGP Command Line search for keys on the Encryption Management Server using LDAP or LDAPS.
  3. Third party applications search for keys or certificates on the Encryption Management Server using LDAP or LDAPS. For example, the Outlook LDAP Address Book.

To disable the Keyserver service:

  1. Log into the administration console.
  2. Click on Services.
  3. Click on Keyserver.
  4. Click on the Disable button.

Note that disabling the Keyserver service will not prevent PGP Encryption Server searching for keys on remote hosts such as PGP Global Directory using LDAP or LDAPS, providing this is permitted by the organization's firewall.

If remote Internet hosts are permitted to search for keys on the PGP Encryption Server, it is possible to restrict such access by source IP address or range. However, restricting access and still running a public key server are clearly incompatible objectives:

  1. Log into the administration console.
  2. Click on Services.
  3. Click on Keyserver.
  4. Click on the Restrict Access button for port 389 (LDAP).
  5. Enable the option Enable Access Control for Connector.
  6. Select whether to block or allow addresses.
  7. Enter the IP addresses or address ranges to block or allow.
  8. Click the Add button.
  9. Click the Save button.
  10. Repeat the process for port 636 (LDAPS).

 

 

Note on Keyserver service "Stopped", but enabled: If you do use the Keyserver service and you have the service enabled, but the service is stopped, make sure all the PGP services are running.  If they all are, then check the System, Network tab to ensure a proper TLS certificate has been assigned and if not, assign one.  Once this has been done, restart services and the keyserver service should be working again.

 

 

Troubleshooting



You may decide to delete your "keyserver.pgp.com" entries on the PGP Encryption Server settings so that whenever key lookups are performed, they are done only for internal lookups.
After upgrade, you may notice the keyservers reappear.  This is due to an upgrade routine that adds the keyserver service back. 
If you delete this entry and would not like it to reappear after an update of the PGP Server, reach out to Symantec Encryption Support and provide the following ID to be added to the request:
EPG-29644