Access the PGP Encryption Server by using SSH (Symantec Encryption Management Server)
search cancel

Access the PGP Encryption Server by using SSH (Symantec Encryption Management Server)

book

Article ID: 153592

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Key Management Server File Share Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption PGP Command Line PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

PGP Encryption Server (Symantec Encryption Management Server) is considered a locked box/appliance.  The backend filesystem is not available and no credentials are made available to anyone by default. 

In order to obtain command line access to the server, an SSH key can be configured.  SSH Keys are allowed to ONLY SuperUser Administrators on the PGP Encryption server.  These SuperUser accounts should be limited to only those who absolutely need to have command line access to the server.   There are other levels of access that are appropriate without giving SuperUser access, so consider this role very carefully. 

Command Line access is useful when working with Symantec Support, but in most other cases it is not needed.  Even in the event that a security audit requires command line access, do not provide these credentials or allow anyone to access the server unless they are responsible for the data on the server itself.    If the security team needs to be granted access to packages on the server, run the command for them and provide the list to them instead so that you can closely safeguard this access.

For all other scenarios where command line is necessary, this article will go over these steps.

Important Notes: Installing third-party applications, or using customized scripts outside of written/contractual approvals/agreements is not supported.  The PGP Encryption Server is scanned for security and is considered a locked box.  As a result, it is considered a secure device and making changes to the system could introduce security-related issues, therefore installing any third-party software is highly discouraged and is not supported.

For more information on this topic, see the following article:

206673 - Can third-party software be installed on the PGP Encryption Server (Symantec Encryption Management Server)?

Resolution

Accessing the server command line for read-only purposes (such as to view settings, services, logs, processes, disk space, query the database, etc) is supported. However, performing configuration modifications or customizations via the command line should never be done without the written permission from Broadcom and could void your Broadcom support agreement unless the following procedures are followed.


To gain command line access to the PGP Encryption Server you will need to connect using SSH with key based authentication.

One of the most popular open source SSH applications for Windows is PuTTY.

In addition to the SSH application, it includes a command line SCP (Secure Copy Protocol) client for transferring files and an application for generating keys.

Windows 10 version 1803 and above and Windows Server 2019 and above include OpenSSH for Windows. It comprises a command line SSH and SCP utility as well as a command line utility for generating keys.  Therefore, this is an alternative to PuTTY, which can be run typing "ssh" into a command prompt window.

Note that if you regularly transfer files to the PGP Encryption Server, the open source WinSCP application is recommended. It is described in article 157406.

Any changes made to the server using the command line must be authorized in writing by Broadcom's Encryption Engineering team.
When in doubt, reach out to Symantec Encryption Support for further guidance.


If you make regular SSH connections to the PGP Encryption Server and/or connect to multiple servers, PuTTY is recommended because it is a Windows application and allows you to save your sessions profiles.

PGP Encryption Server supports only key based authentication using SSH.  The following steps will show you how to use the various methods mentioned:


Using PuTTY

The latest stable release of PuTTY can be downloaded from here. The installation package includes a Windows application called PuTTYgen for creating keys, the PuTTY SSH application itself and a command line SCP client called pscp that you may find useful for transferring files. There are 32-bit and 64-bit versions available.

Note: You can download putty.exe and puttygen.exe and these can operate as standalone applications which will not require installation on your system.


Create an SSH key pair

  1. Open PuTTYgen.
  2. Confirm the Parameters (at the bottom of the PuTTY Key Generator window) for the type of key to generate. The defaults of RSA 2048 bits are suitable.
  3. Create a key pair by clicking on the Generate button in the Actions section. Generate some randomness for the key by moving the mouse over the blank area.
  4. After the key generation is complete, right click in the area called Public key for pasting into OpenSSH authorized_keys file and choose Select All, then right click and choose Copy to place the public key block on the clipboard.
  5. Open Notepad and paste the public key block into the new file and then save it. For example, save the file as ssh_key.pub.
  6. Optionally, in PuTTYgen enter a passphrase for the private key in the Key passsphrase field and confirm it in the Confirm passphrase field. You will be prompted for this passphrase each time you SSH to the Encryption Management Server.
  7. Click on the Save private key button to save the private key. PuTTYgen uses the *.ppk file extension for private keys. For example, save the file as ssh_key.ppk.


Import the public key into the PGP Encryption Server

  1. Log in as a user with SuperUser role permissions to the Encryption Management Server administration console.
  2. Click on System / Administrators and click on the name of an account with a role of SuperUser. Note that keys can only be added to users with the SuperUser role.
  3. Click the + button on the right of the SSHv2 Key field. This will open the Update SSH Public Key page.
  4. Click on the Choose file button and browse to the folder containing the public key file, then double click on the file to choose it. For example, the public key may be called ssh_key.pub.
  5. Click on the Import button to import the public key.
  6. Click Save to save the changes to the SuperUser account.


SSH to PGP Encryption Server

  1. Open PuTTY.
  2. Enter the PGP Encryption Server FQDN or IP address in the Host Name (or IP address) field. For example, keys.example.com.
  3. Confirm that the Port field is set to the default of 22 and the Connection type field is set to the default of SSH.
  4. Under the Category section on the left of the application window, expand SSH and click on Auth.
  5. Click on the Browse button and select the *.ppk private key file that you created using PuTTYgen. For example, ssh_key.ppk.
  6. Under the Category section on the left of the application window, click on Session.
  7. Enter a name for the connection in the Saved Sessions field and click the Save button to save the connection. For example, keys.
  8. Click the Open button to connect to the PGP Encryption Server.
  9. When prompted for the username, enter root.
  10. The first time you log in a security warning will appear. Click Yes to continue.
  11. If you saved the private key with a passphrase, you will be prompted for it.
  12. To quit your SSH session enter exit.
  13. To open a saved session in PuTTY, simply double click on the name of a saved session.

SCP files to and from PGP Encryption Server

  1. Open a Command Prompt or Windows PowerShell.
  2. Download a file from the PGP Encryption Server using the pscp utility, passing the name of the private key as a parameter. For example, if the private key file is ssh_key.ppk located in your Documents folder, the server name is keys.example.com and you want to download a backup file called PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp located in the /var/lib/ovid/backups directory of Encryption Management Server to the Documents folder on your machine, the command would be as follows. Note the . character at the end of the command. This tells pscp to retain the source file name:
    pscp -i Documents\ssh_key.ppk [email protected]:/var/lib/ovid/backups/PGP-Universal-Backup-keys.example.com-backup-10-10-19-03-20-22.tar.gz.pgp Documents\.
  3. If you wanted to upload a file in your Documents folder called test.log to the /var/lib/ovid/customization directory of PGP Encryption Server, the command would be as follows:
    pscp -i Documents\ssh_key.ppk Documents\test.log [email protected]:/var/lib/ovid/customization


Using OpenSSH for Windows

Create an SSH key pair

  1. Open a Command Prompt or Windows PowerShell.
  2. By default, you will be in the %USERPROFILE% directory. For example, C:\Users\firstname.lastname.
  3. Optionally, change directory to the location in which you wish to store the public and private keys. For example, if you wish to store the keys in your Documents folder, enter the following:
    cd documents
  4. Generate an OpenSSH format key pair on the client using the ssh-keygen utility. For example, to generate a private key called ssh_key and a public key called ssh_key.pub do the following. You will be prompted for a passphrase. You will be prompted for this passphrase each time you SSH to the PGP Encryption Server. Press the Enter key if you do not wish to set a passphrase:
    ssh-keygen -t rsa -f ssh_key
  5. The utility will set permissions on the private key correctly so that only you have permission to access it. Therefore you may need to change the file's permissions if you move it to a new location.


Import the public key into PGP Encryption Server

  1. Log in as a user with SuperUser role permissions to the PGP Encryption Server administration console.
  2. Click on System / Administrators and click on the name of an account with a role of SuperUser. Note that keys can only be added to users with the SuperUser role.
  3. Click the + button on the right of the SSHv2 Key field. This will open the Update SSH Public Key page.
  4. Click on the Choose file button and browse to the folder containing the public key file, then double click on the file to choose it. For example, the public key may be called ssh_key.pub.
  5. Click on the Import button to import the public key.
  6. Click Save to save the changes to the SuperUser account.


SSH to PGP Encryption Server

  1. Open a Command Prompt or Windows PowerShell.
  2. Open a secure shell in PGP Encryption Server using the ssh utility, passing the name of the private key as a parameter. For example, if the private key file is ssh_key located in your Documents folder and the server name is keys.example.com, connect as follows. You will be prompted for a passphrase if your key has one:
    ssh -i Documents\ssh_key [email protected]
  3. The first time you log in a security warning will appear. Type Yes to continue.
  4. To quit your SSH session enter exit.

 

Troubleshooting

In attempting to connect to the PGP Encryption Server via SSH, you receive an error:
"Unable to load private key file...Putty key format too new" and "Disconnected: No supported authentication methods available (server sent: publickey)"


Some of the newer versions of Puttygen create keys in a "version 3" format.  PGP Encryption Server works great with Version 2.  To fix this, open PuttyGen for your key, and then click the Key Top Menu, and "Parameters for saving key files...":

In the screenshot above, check the PPK file version to "2", and click OK.  Now re-export the key you generated and the key can now be used for the PGP Encryption Server.

Additional Information

206673 - Can third-party software be installed on the PGP Encryption Server (Symantec Encryption Management Server)?