The PGP Encryption Server Keyserver service allows remote lookups of PGP public keys and S/MIME certificates over LDAP (port 389) and LDAPS (port 636) either from the internal network or over the Internet.
It is enabled by default.
However, for many environments, it is not needed. Best security practice is to reduce the attack surface by disabling services that are not required.
Note that PGP Encryption Server 10.5 MP2 was patched to mitigate CVE-2020-25692 which affects the Keyserver service. See article 157729 for further details.
PGP Encryption Server 3.4.2 and above with the Keyserver service enabled.
By default, PGP Encryption Desktop (Symantec Encryption Desktop) clients do not use the Keyserver service in order to lookup keys.
Instead, all key lookups are done over HTTPS. Managed installations of PGP Command Line also search for keys over HTTPS by default.
The Keyserver service is required only if:
To disable the Keyserver service:
Note that disabling the Keyserver service will not prevent PGP Encryption Server searching for keys on remote hosts such as PGP Global Directory using LDAP or LDAPS, providing this is permitted by the organization's firewall.
If remote Internet hosts are permitted to search for keys on the PGP Encryption Server, it is possible to restrict such access by source IP address or range. However, restricting access and still running a public key server are clearly incompatible objectives:
Note on Keyserver service "Stopped", but enabled: If you do use the Keyserver service and you have the service enabled, but the service is stopped, make sure all the PGP services are running. If they all are, then check the System, Network tab to ensure a proper TLS certificate has been assigned and if not, assign one. Once this has been done, restart services and the keyserver service should be working again.
You may decide to delete your "keyserver.pgp.com" entries on the PGP Encryption Server settings so that whenever key lookups are performed, they are done only for internal lookups.
After upgrade, you may notice the keyservers reappear. This is due to an upgrade routine that adds the keyserver service back.
If you delete this entry and would not like it to reappear after an update of the PGP Server, reach out to Symantec Encryption Support and provide the following ID to be added to the request:
EPG-29644