Q: What is a Group Key?
A: A Group Key is a server-managed keypair shared by a group of users. A Group Key is assigned to a group based on membership in an Active Directory security group. This allows membership in the Active Directory security group to be modified without affecting the metadata associated with the protected data. To create a Group Key, the Directory Synchronization feature must be enabled and synchronized with an Active Directory database.
Q: What are the advantages of a Group Key?
- The users don't have to be added or removed manually
- The folder does not need to be re-encrypted
- The header of the files is not as large as with regular PGP keys
- No need to edit the PGP NetShare folder when a new user joins, the new user only needs to be added to the ldap group.
Q: What version of PGP Desktop and the PGP Universal Server supports the Group Key?
A: In order to be able to create and use the Group Key, you will need PGP Desktop 10.2 and PGP Universal Server 3.2. Previous versions do not support a Group Key
Q: What if I already have a Group on the PGP Universal Server and want to add a Group Key to an existing Group?
A: It is possible to add a Group Key to an existing group on the PGP Universal Server. Please refer to the following KB article on how to set up a Group Key for an existing group on the PGP Universal Server.
Q: What do I need to do if I want to create a new Group Key and a new group on the PGP Universal Server?
A: Please refer to the following KB article on how to setup a Group Key and create a new group on the PGP Universal Server.
Q: I have new PGP NetShare users in the company. How can I add the new users to the PGP NetShare folder so they can also use the Group Key?
A: You don't need to edit the PGP NetShare folder when a new user joins, the new user only needs to be added to the ldap group.
Q: Where is the private key of the Group Key stored?
A: The private key is only on the PGP Universal Server. The private key never leaves the server. The public key is copied to the clients.
Q: Are there any limitations for the Group Key?
A: Yes, there are limitations. There is no offline support for the Group Key, because the private key is on the server and a connection is needed to unlock the folder.
Once the PGP NetShare protected file is unlocked, subsequent access to protected data can be offline (no connectivity to PGP Universal Server) until user logs out.
Q: Is there a workaround so the user can use the encrypted PGP NetShare folder in an offline mode?
A: For users that need to access the data in the offline mode, include their individual keys with the Group Key and copy the encrypted files to a local PGP NetShare folder that is encrypted to local keys.
Q: What happens if I add a new Group Key?
A: If you add a new Group Key the old Group Key will be revoked first. The old files will be accessible, but all new files added to the folder will be encrypted to the new key
Q:Can the PGP NetShare user roles be used the same way with the Group Key?
A: Yes, the PGP NetShare user roles can also be used with a Group Key. For more information about the PGP NetShare user roles please refer to the following KB article.
Q: Are PGP NetShare Group Keys compatible with ADKs?
A: Yes, Group keys are fully compatible with additional decryption keys (ADKs).
Q: What is the difference between using Active Directory groups and the PGP NetShare Group Key?
A: Group keys are different than using Active Directory groups. Using a Group Key adds only the single key to a protected folder. Using an Active Directory group adds every key found for members of that group.