Enrolling a user on multiple machines with PGP Encryption Desktop with SCKM Keymode (Symantec Encryption Desktop)
search cancel

Enrolling a user on multiple machines with PGP Encryption Desktop with SCKM Keymode (Symantec Encryption Desktop)

book

Article ID: 217682

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

PGP Encryption Desktop (Symantec Encryption Desktop) can be enrolled with multiple keymodes and each keymode is unique.  One such keymode is Server Client Key Mode.

This keymode is different from all the other modes because the Symantec Encryption Management Server (SEMS) has the private key for decryption, but not for signing.  

As this is the case, special care should be taken when enrolling on multiple machines and requires some extra steps to do so.  

This article will go over these steps.

For more information on SCKM, see the following article:
153215 - Understanding Server Client Key Mode (SCKM) in PGP Encryption Management Server (Symantec Encryption Management Server)

 

TIP: If any of the images of this article do not display, click the download on the bottom of this article for a PDF version.

Resolution

There are two methods you can follow to be able to successfully enroll an SCKM user on multiple users. 

Method 1: For this method you can simply export your keypair and take the keypair to the other machine. This method is the easiest and best if you are a new user and do not have any additional keys in your keyring.  If you have a lot of keys, it will be easier to use Method 2.,

 

Method 2: For this method you can take a copy of your keyrings and move them over to the other machine. This method is best if you have a lot of keys in your keyring that you would also like to move over to the additional machines you will be enrolling on.

 

This document is focused on Method 1, but for Method 2, backup the keyrings and take them to the other machine.  See the "TIP" in step 6 for information on how to backup your keyrings.  Once enrolled and finished on the first machine, copy the keyring files and take them to the second machine.  

Step 1: The first step to ensure you are using this mode is to check the keymode in your policy on SEMS.  

As you can see in the screenshot below only SCKM is selected. 

This means the only keymode allowed for users part of this policy will be SCKM:

 

Step 2: Enroll your first SCKM user by entering the credentials when the enrollment wizard pops up:

 

The enrollment process will begin for user User1:

 

Step 3: Select “I am a new user.” as this is the first time User1 has enrolled on this machine:

 

Click next:

 

 

Next, select “New Key”:

 

Enter a passphrase for the key (and don’t forget it!):

 

The key generation process will commence and once finished, click Next, and then Finish:

 

 

 

Step 4: Once this is finished, click the little padlock on the bottom right-hand corner of the screen:

 

If you don’t see the padlock, click the little ^ icon and then you should see it:

 

Click “Open Symantec Encryption Desktop”:

 

Step 5: Once the client has opened, click on PGP Keys to display the new key that has been created for User1:

 

Now right-click on User1’s key to display the key properties.  Notice the Key ID listed at the top “0x65ECC8B6”. This is the main Key ID.  

Also make note that this key has two Subkeys.  

The first Key ID “0x16578355” is used for Encryption as you can see the padlock icon next to it.  

The second Key ID “0x8DE2D1E7” used for signing.  

As this is an SCKM key, only the client has access to the signing portion. The server has access to only the encryption key (or Key ID 0x16578355):

 

You can close this window for now.


Step 6: Now that we have a new key, right-click on the key, and select “Export” in preparation for enrolling on the next machine for this same user account “User1”:

 

Make sure you check the box “Include Private keys” or the process will not work:

 

Important Note: Make note of where you saved the keypair, because you will then copy this and move it to the next machine you will be enrolling User1 on.


TIP: It is also a good idea to make note of your keyrings and where they are located and back these up too.  
Although this is not required for these steps, it is a good idea to have a backup of your keyrings:

The keyrings are typically stored in the Documents\PGP folder for the user.  As mentioned if you are using Method 2, this will be the step where you copy your keyrings and take them to the next machine.  It is a good idea to copy the entire PGP folder and simply move that to the other machine.  When you install the client, the enrollment process should see the keyrings in this location and all the rest of the steps should work.

 

 

 

Step 7: Now as the Administrator for Symantec Encryption Management Server, you will notice User1’s account has been created:

 

Click on “User1” to open the account properties and then click “Managed Keys” to expand the key properties.  Notice the Key ID as well as the keymode (SCKM):

 

User1’s account has been successfully configured with an SCKM key and we are ready for the next steps.

Step 8: On the next system User1 is going to enroll on with this SCKM key, authenticate the enrollment window as you did previously and then you will see the Key Generation Wizard. 

 

When you get this page, make sure you click “Import Key”.  This is where you will browse to User1’s keypair that you exported from the previous steps:

 


As you can see “User1’s” Key shows up in this dialog box as well as the Key ID mentioned and you will notice this matches.  Browse to the keypair on this screen and click Next: 

 

 

You will need to enter the passphrase for this key to show User1 is authorized to use this key:

Once you have gone through the steps click Next, and then Finish:

Step 9: Now on this new machine, open the desktop client and right-click User1’s key.  
You will notice it has all the same properties as before with the encryption key as well as the signing key:

 

If you check on the SEMS, you will also notice the keymode is still SCKM and should be good to go.

If you run into any issues with this process, please re-check the steps to ensure you did not miss a step and if you need further assistance, contact Symantec Encryption Support:

209191 - Logging a Support case for Symantec Endpoint Encryption Support

 



 

 

Additional Information

IMSFR-477/EPG-21774
IMSFR-580

153668 - Enroll PGP Encryption Desktop client using Directory Authentication with PGP Encryption Server (Symantec Encryption Management Server)


180181 - Re-enrolling PGP Encryption Desktop for Windows clients (Symantec Encryption Desktop)
181366 - Re-enrolling PGP Encryption Desktop for Linux Clients (Symantec Encryption Desktop)
155714 - Re-enrolling PGP Encryption Desktop for macOS X clients (Symantec Encryption Desktop)

217682 - Enrolling a user on multiple machines with PGP Encryption Desktop with SCKM Keymode (Symantec Encryption Desktop) 

153688 - Enable Silent Enrollment for PGP Encryption Desktop (Symantec Encryption Desktop)
181069 - Configure Invisible Silent Enrollment for PGP Encryption Desktop (Symantec Encryption Desktop Clients)

153437 - Using Email Enrollment for PGP Desktop Clients with the PGP Server (Symantec Encryption Management Server)
153324 - PGP Email Proxy Fails or Next Button Grayed out during Enrollment to PGP Encryption Server (Symantec Encryption Management Server)

 

Attachments

Enrolling multiple machines with SCKM _1624028648377.pdf get_app
Powered by Wolken Software