What happens when the ADK for the Organization Expires on the PGP Server with the PGP Desktop?
search cancel

What happens when the ADK for the Organization Expires on the PGP Server with the PGP Desktop?

book

Article ID: 266503

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will cover what happens when the Additional Decryption Key (ADK) expires within an organization and what do if this happens.

 

For more details on the ADK and General Guidelines, see the following article:

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server

Resolution

When the ADK for an organization is going to expire, the key should be reviewed immediately.  As per the ADK Guidelines, it is not recommended to have an ADK to expire.  One major reason for this is when an ADK is configured on the PGP Server for the organization, the ADK is then automatically added to end user's individual keys.

When the ADK is added to the user's keys, any subsequent encryption tasks will encrypt to the specified list of keys the user provides, and will also automatically encrypt to the ADK.

If the ADK expires, this can actually prevent future Encryption, so it is important to remedy this as quickly as possible.

 

Consider the following screenshot where the ADK is expired:

As you can see, there is a "Clock" overlay icon on the key, which means the key is expired.

 

When attempting to encrypt a file, you will notice that the ADK is included, but is also expired:

 

Click OK, to this dialog box, and output the file to a location that is convenient:

Notice that it is not possible to encrypt because the ADK has expired:

 

Because an Expired ADK can cause problems in a working environment, it is a good idea to follow the guidelines for ADKs and not provide an expiration date to them.

Expiration Dates are a great idea for a very dynamic environment where many keys are used.  If there is no need to change the ADK, then there is no reason to have an expiration date.

 

To fix the ADK, go to a machine with PGP installed that is not necessarily talking to a PGP server.  This will ensure the ADK is "standalone" and will not have any other attributes added, such as other ADKs.
You want the ADK to be completely separate from any other key, so a standalone machine is advised.

Import the Keypair of the ADK and then in the Keys, double-click on the key itself, then click the "Expired" drop down and select "Never" so the key will never expire in the future. 

Again, it is recommended to add an expiration date, only in the scenario where there are a lot of keys at play and very dynamic, because key rotation for ADKs should not be done frequently.
The reason for this is machines that are offline will not get the new ADK, so unless it is compromised, it is advised to set to "Never".

 

You will need to enter the passphrase of the ADK:

Once this is done, the key will then be set to "Never" for the expiration date:

 

Now when you go to encrypt, the ADK will now be usable:

 

 

 

Reencrypting Existing Data

If you have replaced the old ADK with a new one, this will not automatically reencrypt all the data.

For example, all data before the change will still be encrypted to the old ADK.  Data will need to be re-encrypted to the new ADK.

Depending on the scenario, this may be a difficult task, so make sure to keep your ADK around even after replacing it, because you will likely need both for future decryption using the ADKs.

For File Share Encryption, shares will need to be reencrypted with the new ADK for this to be used.

We do recommend the use of Group Keys for Administrators and Users, to help minimize this need, but this would be required to start using the new ADK on encrypted shares.

 

_____________________________________________________________________________________________

Important Note: If you have an ADK that is uploaded to the PGP Server and has expired, you will clear the Expiration value, and export the key from the PGP Desktop client.

Then you will upload the key to the PGP server to replace what is already there.  The updated ADK should then be available on the server, and once the PGP Desktop clients check in, the ADK on each user's key should be updated.

To this end, for a detailed process on how to change the ADK, refer to the following article as special conditions apply, including having the proper version of the PGP Desktop and PGP Server software:

247825 - Replacing or Updating an Additional Decryption Key on Symantec Encryption Management Server may not clean up old ADKs

As mentioned in the above KB, for best results, it is highly recommended to update to 10.5.1 MP1 before attempting to change the ADK.  If you are on an older version, the results may vary and cannot be guaranteed. 
If you are on PGP Client 10.4.2, it is recommended to upgrade to 10.5.1 MP1 first.   See the article above for further guidance or reach out to Symantec Encryption Support.

_____________________________________________________________________________________________

Additional Information

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server

153477 - Import an ADK to Symantec Encryption Management Server (aka PGP Universal Server)

247825 - Replacing or Updating an Additional Decryption Key on Symantec Encryption Management Server may not clean up old ADKs

266503 - What happens when the ADK for the Organization Expires on the PGP Server with the PGP Desktop?