The Encryption Management Server Keyserver service allows remote lookups of PGP public keys and S/MIME certificates over LDAP (port 389) and LDAPS (port 636) either from the internal network or over the Internet.
It is enabled by default.
However, for many environments, it is not needed. Best security practice is to reduce the attack surface by disabling services that are not required.
Note that Encryption Management Server 10.5 MP2 was patched to mitigate CVE-2020-25692 which affects the Keyserver service. See article 157729 for further details.
Symantec Encryption Management Server 3.4.2 and above with the Keyserver service enabled.
By default, Encryption Desktop clients do not use the Keyserver service in order to lookup keys. Instead, all key lookups are done over HTTPS. Managed installations of PGP Command Line also search for keys over HTTPS by default.
The Keyserver service is required only if:
To disable the Keyserver service:
Note that disabling the Keyserver service will not prevent Encryption Management Server searching for keys on remote hosts such as PGP Global Directory using LDAP or LDAPS, providing this is permitted by the organization's firewall.
If remote Internet hosts are permitted to search for keys on the Encryption Management Server, it is possible to restrict such access by source IP address or range. However, restricting access and still running a public key server are clearly incompatible objectives:
Note on Keyserver service "Stopped", but enabled: If you do use the Keyserver service and you have the service enabled, but the service is stopped, make sure all the PGP services are running. If they all are, then check the System, Network tab to ensure a proper TLS certificate has been assigned and if not, assign one. Once this has been done, restart services and the keyserver service should be working again.