It may be desirable to have a single PGP key that can be shared with an external recipient party to secure email for the whole organization or company. This setup applies to configurations where Symantec Encryption Desktop (formerly known as PGP Desktop) is used on each end user's machines. In other words, the Symantec Encryption Desktop client is installed on each end user's machine, has the Messaging component of encryption enabled in policy, and each end user has control of the private portion of the key imported to each system.
Using a single encryption key in this way has several considerations:
If the above has been considered, and it is still desired to use a single key to encrypt all incoming email, follow the rest of this document:
1. Under Consumers/Groups click the desired group, click "View" at "Keys"
2. Click "Add Group Keys"
3. Generate or import the desired Group Key here.
Important note: The key created should not have an email address associated to it. Doing so could conflict with other keys that already exist on the SEMS which have the same email address, and could cause confusion as to which key should be used to encrypt to. Also, when providing the key to the external user, they will not need to associate the key to any particular email address, such as [email protected], as the key will be used with a specific rule on their encryption server.
4. Under Consumers/Groups click the desired group, click "View" at "Permissions"
5. The two required permissions of the key must be, "Can encrypt with managed key Company.key" and "Can decrypt with managed key Company.key".
6. Share this single key that has been designated, with the external sender (this is a manual process) for encryption to take place. The external recipient performing encryption to this single key is required to configure a mail rule on their encryption server to encrypt to this key whenever sending to your domain.
CAUTION: It is important to export only the public portion of the key to send to the recipient domain. If the private portion of the key is sent over email, this could lead to the key being compromised. To see whether the key file exported contains only the public portion, open the key.asc file with a text editor, such as notepad ++. If the file contains "-----BEGIN PRIVATE KEY BLOCK-----" anywhere in the file, it is the keypair and contains the private portion of the key. Re-export the key using only the public key option, and then reconfirm only "-----BEGIN PUBLIC KEY BLOCK-----" appears in the cipher block of the key.
If the external recipient domain is also using a Symantec Encryption Server, see article TECH149885 for information on configuring mail rules to encrypt to this single key.