When an Organizational Additional Decryption Key (ADK) is updated by replacing an existing ADK with a new ADK, the new ADK is not dynamically updated on the existing Group Key. The old Organizational ADK remains on the existing Group Keys and displays as an Unknown Key.
Symantec Corporation is committed to product quality and satisfied customers. This Feature Request is currently being considered by Symantec Corporation to be addressed in a forthcoming version of the product.
Technical Support filed a Feature Request to add this product feature. Note that a feature request is exactly that, a request. There is no committed date for this request from the Encryption Product Management team, or from the Encryption Engineering team at this time.
Please be sure to refer back to this document periodically as any changes to the status of the request will be reflected here.
The steps below can be followed in order to add a new ADK to an existing Group Key for Symantec File Share Encryption. The following steps assume the current Group Key with the old ADK exists on the Symantec Encryption Management Server:
1. Login to Symantec Encryption Management Server and click on Consumers, then Groups.
2. Click on the Group which has the Symantec File Share Encryption Group Key assigned.
3. Under the Keys section of the Group, click on "View..." to view the current Symantec File Share Encryption Group Key.
4. Make note of the Key ID of the Symantec File Share Encryption Group Key, such as "0xABCD1234"--this will be important in later steps.
5. Click on the down arrow icon to export the keypair of the Symantec File Share Encryption Group Key. Be sure to choose the option "Export Keypair" when exporting--the result will be an ASC file with the extension .asc.
TIP: It is important to export the Key Pair, and not just the public portion. If only the public key is exported, the steps to modify the key will not be possible.
6. Locate a standalone client of Symantec Encryption Desktop and double-click on the .asc file to import. Upon importing, the message "Some of the imported keys are private keys..." will appear. If this message did not appear, the keypair was not exported, and step 5 should be reviewed.
NOTE: It is important to use a standalone client, which does not communicate with a Symantec Encryption Management Server so that the modification in the next steps can be possible.
7. After importing the Symantec File Share Encryption Group Key into Symantec Encryption Desktop, also import the new ADK public key you would like to assign.
8. Double-click on the existing Symantec File Share Encryption Group Key within Symantec Encryption Desktop, and under the ADK section, delete the old ADK. Next, add the new ADK to the Symantec File Share Encryption Group Key.
9. Once the new ADK has been added to the Symantec File Share Encryption Group Key, export the keypair. Right-click on the Symantec File Share Encryption Group Key, select Export, check the box "Include Private Key(s)", and then save the key.
10. Now that the new ADK has been added to the Symantec File Share Encryption Group Key, we now need to delete the old ADK off of Symantec Encryption Management Server. To do this, click on the Keys tab of Symantec Encryption Management Server, then under Managed Keys, enter the Keyid from step 4 and search--only one key should appear. Once you have confirmed the key found is the Group Key in question, check the box to the right, click on "Options" and select "Delete Selected".
CAUTION: Please be sure to choose the correct option to delete.
11. Under the Group, and then Keys section, click "View" to confirm the Symantec File Share Encryption Group Key was removed. Once the Symantec File Share Encryption Group Key with the old ADK has been deleted from the Symantec Encryption Management Server, then the Group Key with the new ADK can be uploaded.
12. To upload, click on the Group in question, click on "Group Settings", and then import the newly-updated Symantec File Share Encryption Group Key and click Save. After saving, download the key again from the server and import into a Symantec Encryption Desktop client to confirm the new ADK is now added to the Symantec File Share Encryption Group Key.