CKM Key created when only SKM key is allowed by server policy


Article ID: 153351


Updated On:


Symantec Products


In a PGP Universal managed environment, even though the settings for a user policy is set to allow only SKM keys, clients are prompted to create a passphrase for a key during enrollment. After successfully enrolling with the server, an SKM key is created on the server and PGP Desktop also displays a CKM key with a different UserID for the user.

This issue occurs when a user policy on the server is configured to allow user-initiated key creation and the client key option is SKM only. The allow user-initiated key generation option is set by default on the General card in the PGP Desktop Settings for the user policy.

When the Allow user-initiated key generation option is enabled, the client will be prompted to create a passphrase for a local PGP Desktop key even though the user policy it set to only allow an SKM key.


Note: This article applies to PGP Desktop 9.5 and above managed clients and PGP Universal Server 2.5 and above.



This issue is solved by removing the Allow user-initiated key generation permission for the user policy. Use the following steps to disable the option for the policy.


  1. Login to the PGP Universal Server administrative interface.
  2. Click the Policy card and select Internal User Policy.
  3. Click the policy you want to edit.
  4. Click the Edit... button next to PGP Desktop Settings.
  5. On the General tab, remove the checkmark next to Allow user-initiated key generation under permissions.
  6. Click Save to update the policy.