Replacing or Updating an Additional Decryption Key on the PGP Encryption Server may not clean up old ADKs (Symantec Encryption Management Server )

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

With PGP 10.5.1 and older, when an ADK was replaced/updated, the following conditions may have been observed:

1. Old ADK can be manually deleted by the user (not automatically deleted).
2. Old ADKs may still be present in the user's local keyring.
3. Old ADKs may still be present on the ADK card in the user's key properties as shown in the screenshot above.
4. New ADK is used for new encryption and updated to the user's local keyring.
5. New ADK cannot be deleted by the user (prohibited by policy).
6. The Master key is updated with the new ADK(s)

Locations to Replace/Update ADK on PGP Server:
Organization ADK: On the PGP Server, Click Keys, Organization Keys and upload the new ADK.

Policy ADK: On the PGP Server, click Consumers, Consumer Policy and select the applicable policy on the PGP Encryption server (Symantec Encryption Management Server ).

It is important to understand the concepts and guidelines for ADKs in general before reviewing this article.

For a more detailed explanation of what an ADK is and the guidelines for creating and using an ADK, see the following article:

153511 - Additional Decryption Key (ADK) Guidelines for the PGP Encryption Server

In this scenario, the old ADK may still exist on the user's ADK card of their key properties:

In the screenshot above, you can see the "OLD ADK" is listed and in this scenario, it needs to be replaced with a new ADK.

Upon uploading the new ADK to the PGP server and after the PGP Client downloads policy, you may end up with two ADKs listed on the user's ADK card of the Key Properties or some variation of this behavior (the desired result should be only the newly-updated ADK):

In the user's local keyring, you may will still have the old ADK along with the new ADK:

Users are prohibited from deleting Additional Decryption Keys from their local keyrings once they are designated as the official ADK in Policy or as the Organization ADK.

Once a new ADK is designated, the PGP Desktop client will allow the old ADK to be deleted manually.

Resolution

We will now explore the behavior before the PGP Encryption Server 10.5.1 MP1 and the behavior with some of the improved functionality.

Important Note: Upgrading the PGP Server does not require you to replace a new ADK. However; the new PGP Server 10.5.1 MP1 and later have functionality that will make replacing ADKs much more convenient and automatic.

Scenario 1 of 2: ADK was changed prior to upgrading to 10.5.1 MP1 (From PGP versions 10.5.1 and older):
(Both Client and Server on 10.5.1 or older versions)

Note: The main improvement is the ADK card on the user's Key Properties are updated with the new ADK:

1. New ADK will be updated to the ADK card on the user's key properties. Only ADKs associated to Consumer Policy or Organization Keys will be present.
2. New ADK is used for new encryption and updated to the user's local keyring.
3. New ADK cannot be deleted by the user (prohibited by policy).
4. Old ADKs are removed from the ADK card on the user's key properties.
5. Old ADK can be manually deleted by the user (not automatically deleted).
6. The Master key is updated with the new ADK(s)
7. The Old ADK is not removed from the local keyring.
It is recommended to delete the old ADK for best security as these are not cleaned up automatically in this scenario.
To have this be cleaned up automatically, update the PGP Desktop clients to 10.5.1 MP1 or above (See Scenario 2 below).

Scenario 2 of 2: ADK is changed and 10.5.1 MP1 is already being used:
(Both Client and Server on 10.5.1 MP1 or higher versions)

All of the conditions apply to this scenario as in Scenario 1, except the old ADKs will also be removed from the user's local keyring.

This is possible because 10.5.1 MP1 includes logic that will keep track of ADKs going forward and if they are changed, it will identify the old ADKs and remove them automatically in all locations.

Key Passphrase Caching Requirements

The improved functionality in 10.5.1 MP1 relies on key passphrase caching requirements to update the new ADK on the user's ADK card of the key properties.

Note: This does not apply to users with the SKM keymode as this all happens automatically behind the scenes.

For GKM, CKM, or SCKM keymodes, the following will expedite the ADK card update process.

You can force the key passphrase to be cached by signing a file or by decrypting some content encrypted to the key in question.

Once the passphrase is cached, you can force a policy update, or wait for the scheduled policy update and the ADK card tab will then be updated.

Step 1: You can tell if a passphrase is cached or not by checking the PGP Padlock icon by the time in the system tray and hover over the icon and if a key is associated to the lock:

Not Cached:

Cached:

Step 2: To sign a file, go to any test file on the system and right click on it, then choose "Symantec Encryption Desktop", then click "Sign as..."

You will see the following screen come up:

Enter the passphrase and click Next and the window will go away. Now the passphrase should be cached:

Step 3: Now click the "Update Policy" option on the PGP Padlock icon and the Policy ADK will now be updated to the user's ADK card on key properties.
Note: You can also wait for the manual policy update interval to take place.

Step 4: You should now see the following take place:

*The Keyring is updated with the new ADK(s)
*The Old ADK is removed (See scenario 2 above) automatically from the user's local keyring
*The old ADK is removed from the ADK Card on the Key properties and the new ADK is updated.

Reencrypting Existing Data

If you have replaced the old ADK with a new one, this will not automatically reencrypt all the data.

For example, all data before the change will still be encrypted to the old ADK. Data will need to be re-encrypted to the new ADK.

Depending on the scenario, this may be a difficult task, so make sure to keep your ADK around even after replacing it, because you will likely need both for future decryption using the ADKs.

For File Share Encryption, shares will need to be reencrypted with the new ADK for this to be used.

We do recommend the use of Group Keys for Administrators and Users, to help minimize this need, but this would be required to start using the new ADK on encrypted shares.

Troubleshooting:

If you have tried the above key caching and this still does not work, 10.5.1 MP1 also includes new functionality to force the above to take place by adjusting a registry parameter.

Step 1: Go into the registry and change the following value to 0:

Computer\HKEY_CURRENT_USER\SOFTWARE\PGP Corporation\PGP\MaintenanceFlag

Step 2: You can exit the PGP Services and restart services:

Step 3: Cache the passphrase as per the steps mentioned above.

The ADK will then be updated as soon as the passphrase is cached.

If you need any further assistance on replacing the ADK, reach out to Symantec Encryption Support for further guidance.

Additional Information

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server

153477 - Import an ADK to Symantec Encryption Management Server (aka PGP Universal Server)

247825 - Replacing or Updating an Additional Decryption Key on Symantec Encryption Management Server may not clean up old ADKs

266503 - What happens when the ADK for the Organization Expires on the PGP Server with the PGP Desktop?

Tip: For information on where to download the latest version of the PGP Encryption software, see the following article:

193931 - How to download Symantec Encryption products from the Broadcom download Portal (And where to find the license number for PGP)

EPG-26049
EPG-27573