Enrolling a user on multiple machines with Symantec Encryption Desktop with SCKM Keymode
search cancel

Enrolling a user on multiple machines with Symantec Encryption Desktop with SCKM Keymode


Article ID: 217682


Updated On:


Desktop Email Encryption Desktop Email Encryption, Powered by PGP Technology Drive Encryption Drive Encryption Powered by PGP Technology Encryption Desktop Corporate Powered by PGP Technology Encryption Desktop Powered by PGP Technology Encryption Desktop Professional Powered by PGP Technology Encryption Desktop Storage Powered by PGP Technology Encryption Management Server Powered by PGP Technology


Symantec Encryption Desktop can be enrolled with multiple keymodes and each keymode is unique.  One such keymode is Server Client Key Mode.

This keymode is different from all the other modes because the Symantec Encryption Management Server (SEMS) has the private key for decryption, but not for signing.  

As this is the case, special care should be taken when enrolling on multiple machines and requires some extra steps to do so.  

This article will go over these steps.

For more information on SCKM, see the following article:
153215 - Understanding the new Server Client Key Mode (SCKM) in Symantec Encryption Management Server


TIP: If any of the images of this article do not display, click the download on the bottom of this article for a PDF version.


There are two methods you can follow to be able to successfully enroll an SCKM user on multiple users. 

Method 1: For this method you can simply export your keypair and take the keypair to the other machine. This method is the easiest and best if you are a new user and do not have any additional keys in your keyring.  If you have a lot of keys, it will be easier to use Method 2.,


Method 2: For this method you can take a copy of your keyrings and move them over to the other machine. This method is best if you have a lot of keys in your keyring that you would also like to move over to the additional machines you will be enrolling on.


This document is focused on Method 1, but for Method 2, backup the keyrings and take them to the other machine.  See the "TIP" in step 6 for information on how to backup your keyrings.  Once enrolled and finished on the first machine, copy the keyring files and take them to the second machine.  


Step 1: The first step to ensure you are using this mode is to check the keymode in your policy on SEMS.  

As you can see in the screenshot below only SCKM is selected. 

This means the only keymode allowed for users part of this policy will be SCKM:


Step 2: Enroll your first SCKM user by entering the credentials when the enrollment wizard pops up:


The enrollment process will begin for user Sally:


Step 3: Select “I am a new user.” as this is the first time Sally has enrolled on this machine:


Click next:



Next, select “New Key”:


Enter a passphrase for the key (and don’t forget it!):


The key generation process will commence and once finished, click Next, and then Finish:




Step 4: Once this is finished, click the little padlock on the bottom right-hand corner of the screen:


If you don’t see the padlock, click the little ^ icon and then you should see it:


Click “Open Symantec Encryption Desktop”:


Step 5: Once the client has opened, click on PGP Keys to display the new key that has been created for Sally:


Now right-click on Sally’s key to display the key properties.  Notice the Key ID listed at the top “0x65ECC8B6”. This is the main Key ID.  

Also make note that this key has two Subkeys.  

The first Key ID “0x16578355” is used for Encryption as you can see the padlock icon next to it.  

The second Key ID “0x8DE2D1E7” used for signing.  

As this is an SCKM key, only the client has access to the signing portion. The server has access to only the encryption key (or Key ID 0x16578355):


You can close this window for now.

Step 6: Now that we have a new key, right-click on the key, and select “Export” in preparation for enrolling on the next machine for this same user account “Sally”:


Make sure you check the box “Include Private keys” or the process will not work:


Important Note: Make note of where you saved the keypair, because you will then copy this and move it to the next machine you will be enrolling Sally on.

TIP: It is also a good idea to make note of your keyrings and where they are located and back these up too.  
Although this is not required for these steps, it is a good idea to have a backup of your keyrings:

The keyrings are typically stored in the Documents\PGP folder for the user.  As mentioned if you are using Method 2, this will be the step where you copy your keyrings and take them to the next machine.  It is a good idea to copy the entire PGP folder and simply move that to the other machine.  When you install the client, the enrollment process should see the keyrings in this location and all the rest of the steps should work.




Step 7: Now as the Administrator for Symantec Encryption Management Server, you will notice Sally’s account has been created:


Click on “Sally” to open the account properties and then click “Managed Keys” to expand the key properties.  Notice the Key ID as well as the keymode (SCKM):


Sally’s account has been successfully configured with an SCKM key and we are ready for the next steps.

Step 8: On the next system Sally is going to enroll on with this SCKM key, authenticate the enrollment window as you did previously and then you will see the Key Generation Wizard. 


When you get this page, make sure you click “Import Key”.  This is where you will browse to Sally’s keypair that you exported from the previous steps:


As you can see “Sally’s” Key shows up in this dialog box as well as the Key ID mentioned and you will notice this matches.  Browse to the keypair on this screen and click Next: 



You will need to enter the passphrase for this key to show Sally is authorized to use this key:

Once you have gone through the steps click Next, and then Finish:

Step 9: Now on this new machine, open the desktop client and right-click Sally’s key.  
You will notice it has all the same properties as before with the encryption key as well as the signing key:


If you check on the SEMS, you will also notice the keymode is still SCKM and should be good to go.

If you run into any issues with this process, please re-check the steps to ensure you did not miss a step and if you need further assistance, contact Symantec Encryption Support:

209191 - Logging a Support case for Symantec Endpoint Encryption Support




Additional Information

For another interesting walkthrough, see the following article for using a shared key for multiple users:
209776 - Integrating a shared PGP Key for multiple users on Symantec Encryption Management Server


Enrolling multiple machines with SCKM _1624028648377.pdf get_app