Sharing a custom Private Key with a group of PGP Desktop (Symantec Encryption Desktop) users and PGP Server

Products

Encryption Management Server Desktop Email Encryption File Share Encryption Drive Encryption

Issue/Introduction

If a third party is encrypting files before transferring them to you, they should encrypt the files to your public key. You can then decrypt the files using PGP Zip which is included in PGP Desktop (Symantec Encryption Desktop).

If there is a high volume of files and a team of users need to be able to decrypt the files, the third party can encrypt the files to the public keys of all users in the team.

However, the third party may only be willing or able to encrypt files to a single public key.

In this scenario, you can create a custom key for the third party to use. In order to be able to decrypt the files, each member of the team will need to import the custom private key (key pair) to their Encryption Desktop local keyring.

Environment

Symantec Encryption Desktop 10.5 and above.
Symantec Encryption Management Server 10.5 and above.

Resolution

There are three methods of accomplishing this:

If your Encryption Desktop users are managed by Encryption Management Server then you can store the custom key on the server as an SKM (Server Key Mode) key and the Encryption Desktop users will not need to use a passphrase to decrypt files.
If your Encryption Desktop users are standalone then each user in the team will need to be provided with a file containing the key and the passphrase of the key.
If the third party attaches the encrypted file to an email message and you are using Encryption Management Server to decrypt inbound messages then the encrypted attachment can be decrypted by Encryption Management Server automatically and delivered to the recipient, providing the private key is present on Encryption Management Server and the recipient has permission to use it for decryption.

Creating the Custom Key

Open Encryption Desktop and from the File menu choose New PGP Key or type CTRL-N on the keyboard. The PGP Key Generation Assistant starts.
Give the key a name and primary email address. If you are using Encryption Management Server, you must provide an email address and the email domain must match one of the email domains you have listed in Encryption Management Server under Consumers / Managed Domains. This is because the email domain determines what is a managed domain and only users in managed domains are internal users. The email address must be unique within Encryption Management Server. In addition, if your Encryption Management Server is using Directory Synchronization with Active Directory, then the email address of the key must either match an email address in Active Directory or you will need to temporarily disable Directory Synchronization just before you import the key.

You cannot make changes to the Organization Settings page. The settings here will cause the new key to be signed by the Organization key and any ADK key you are using will be added to the key. If for some reason you do not want this to occur, you would need to create the new key with a standalone installation of Encryption Desktop or with PGP Command Line.
Create a passphrase.
Press the Skip button when prompted to upload the key to the PGP Global Directory.
The custom key will appear in Encryption Desktop under PGP Keys / My Private Keys. Right click on the key and choose Export. Because you are exporting the private key, you must enable the option Include Private Key(s):

Encryption Desktop will prompt you to backup the key. There is no need, since you have already exported it.

Importing the Custom Key to Encryption Desktop from file

Provide the *.asc file containing the custom key to all Encryption Desktop users who need to use it to decrypt files. You might save the file in a shared network folder or simply email it.
Each user needs to double click on the *.asc file. Encryption Desktop will prompt them to import the key. Click on the Import button to import it:

The key will be imported as a CKM (Client Key Mode) key.
When the user tries to decrypt a file that is encrypted with that key, they will be prompted for the key passphrase.
The user can change the key passphrase by double clicking on the key to show its properties and then clicking on Change Passphrase. They will need to enter the existing passphrase before they can create a new passphrase.

.

Importing the Custom Key to Encryption Management Server

Launch the Encryption Management Server management console.
If you are using Directory Synchronization with Active Directory and the email address of the custom key is not present in Active Directory, navigate to Consumers / Directory Synchronization and click on the Disable button to disable Directory Synchronization.

Navigate to Consumers / Users / Internal Users. At the bottom of the page click on the Add Internal Users button.
Import the file containing the custom key. You will need to enter its passphrase.
If you disabled Directory Synchronization, enable it again.
Importing the key will create an internal user with an SKM mode key:

Click on the user name and scroll down to Managed Keys. Confirm that it is SKM:

Assigning Permissions to the Key

If you want to allow a group of users to import the key to their local keyring, navigate to Consumers / Groups and click on the relevant group name. In the Permissions section, click on the View button:

Click on the Add Permissions button to open the Permissions page.
From the dropdown, select Can read key pair of. From the second dropdown select Managed Key. In the third text box start typing the name of the key you imported. For example, here the group is called Custom and the members of that group are given the permission to read the key pair of the key called Custom. Click the Save button to save the permission:

Users in the Custom group are now able to import the custom private key from Encryption Management Server.
If the third party is attaching files encrypted with the custom key to email messages and Encryption Management Server is processing such messages then the Group will need the Can decrypt with permission instead of the Can read key pair of permission:

Once this permission is enabled then attachments will, by default, be decrypted automatically and delivered to the recipient. If you use this method then it is unnecessary for the Encryption Desktop users to have the custom key in their local keyrings.

Importing the Custom Key to Encryption Desktop from Encryption Management Server

Open Encryption Desktop and under PGP Keys click on Search for Keys. In the search dropdown select Email and enter the email address of the custom key (or search on Name), then click the Search button. Encryption Desktop will search Encryption Management Server for the key. Note that the custom key has a blue key fob, indicating that it is a private key:

Right click on the key name and choose Add To / All Keys. This will add the key to the local keyring.
Click on My Private Keys and the key will be listed:

When the user tries to decrypt a file that is encrypted with that key, they will not be prompted for a passphrase.
The user can create a key passphrase by double clicking on the key to show its properties and then clicking on Change Passphrase. They will not need to enter an existing passphrase before they can create a new passphrase.

Preventing Users from Exporting Keys

If your Encryption Desktop users are managed by Encryption Management Server then you can prevent them from exporting keys. This will prevent the custom key from being distributed by users.
Launch the Encryption Management Server console and navigate to Consumers / Consumer Policy.
Click on the name of the Consumer Policy associated with the Group that the users are in.
Click on the Desktop button to edit the Encryption Desktop policy.
Click on the Messaging & Keys tab.
On the bottom of the page, disable the Key Management option and click the Save button: