PGP Encryption Server (Symantec Encryption Management Server) is considered a locked box/appliance. The backend filesystem is not available and no credentials are made available to anyone by default.
In order to obtain command line access to the server, an SSH key can be configured. SSH Keys are allowed to ONLY SuperUser Administrators on the PGP Encryption server. These SuperUser accounts should be limited to only those who absolutely need to have command line access to the server. There are other levels of access that are appropriate without giving SuperUser access, so consider this role very carefully.
Command Line access is useful when working with Symantec Support, but in most other cases it is not needed. Even in the event that a security audit requires command line access, do not provide these credentials or allow anyone to access the server unless they are responsible for the data on the server itself. If the security team needs to be granted access to packages on the server, run the command for them and provide the list to them instead so that you can closely safeguard this access.
For all other scenarios where command line is necessary, this article will go over these steps.
Important Notes: Installing third-party applications, or using customized scripts outside of written/contractual approvals/agreements is not supported. The PGP Encryption Server is scanned for security and is considered a locked box. As a result, it is considered a secure device and making changes to the system could introduce security-related issues, therefore installing any third-party software is highly discouraged and is not supported.
For more information on this topic, see the following article:
Accessing the server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line should never be done without the written permission from Broadcom and could void your Broadcom support agreement unless the following procedures are followed.
To gain command line access to the PGP Encryption Server you will need to connect using SSH with key based authentication.
One of the most popular open source SSH applications for Windows is PuTTY.
In addition to the SSH application, it includes a command line SCP (Secure Copy Protocol) client for transferring files and an application for generating keys.
Windows 10 version 1803 and above and Windows Server 2019 and above include OpenSSH for Windows. It comprises a command line SSH and SCP utility as well as a command line utility for generating keys. Therefore, this is an alternative to PuTTY, which can be run typing "ssh" into a command prompt window.
Note that if you regularly transfer files to the PGP Encryption Server, the open source WinSCP application is recommended. It is described in article 157406.
Any changes made to the server using the command line must be authorized in writing by Broadcom's Encryption Engineering team.
When in doubt, reach out to Symantec Encryption Support for further guidance.
If you make regular SSH connections to the PGP Encryption Server and/or connect to multiple servers, PuTTY is recommended because it is a Windows application and allows you to save your sessions profiles.
PGP Encryption Server supports only key based authentication using SSH. The following steps will show you how to use the various methods mentioned:
The latest stable release of PuTTY can be downloaded from here. The installation package includes a Windows application called PuTTYgen for creating keys, the PuTTY SSH application itself and a command line SCP client called pscp that you may find useful for transferring files. There are 32-bit and 64-bit versions available.
Note: You can download putty.exe and puttygen.exe and these can operate as standalone applications which will not require installation on your system.
In attempting to connect to the PGP Encryption Server via SSH, you receive an error:
"Unable to load private key file...Putty key format too new" and "Disconnected: No supported authentication methods available (server sent: publickey)"
Some of the newer versions of Puttygen create keys in a "version 3" format. PGP Encryption Server works great with Version 2. To fix this, open PuttyGen for your key, and then click the Key Top Menu, and "Parameters for saving key files...":
In the screenshot above, check the PPK file version to "2", and click OK. Now re-export the key you generated and the key can now be used for the PGP Encryption Server.