This article explains the key modes available for usage with Symantec Encryption Desktop (formerly known as PGP Desktop) when managed by a Symantec Encryption Management Server (SEMS, formerly known as PGP Universal Server). The description of each different key mode of PGP Keys provides the advantages, usage, and applicability of each key mode.
The SEMS (PGP Universal Server) provides four separate key modes for usage with Symantec Encryption Desktop (PGP Desktop) clients. These key modes are CKM,GKM,SKM, and SCKM. The following is a detailed description of each key mode that introduces its applicability and suitable usage. SEMS 3.0 and above incorporates new functionality with SKM keys, which has improved behavior often referred to as "Offline SKM". See below for further details:
CKM (Client Key Mode)
A CKM Key's biggest advantage is that only the end user has the private key and passphrase of the key. The user is in complete control of the private key and SEMS only has the public portion of the key. This mode is for experienced users who may have high security requirements, or in decentralized deployments in which the server must not manage the private key for the user.
When selecting to use a CKM key, all management and backup of the keys are done on the client computer. A CKM key is generated and managed only by Symantec Encryption Desktop (PGP Desktop) on the client computer.
GKM (Guarded Key Mode)
A GKM key is similar to a CKM key in its benefit of encryption and decryption that occur on the Symantec Encryption Desktop client. However, one advantage the GKM key has over a CKM key is the ability to store a passphrase-protected copy of the keypair on SEMS. As long as the user knows the passphrase of the key, the SEMS stores a backup of the key and is available for recovery if needed.
SKM (Server Key Mode)
SKM keys are generated and managed on SEMS. SKM keys are automatically managed for the user by the client and SEMS--no user intervention is needed to use SKM keymodes and no passphrase needs to be entered in order to decrypt and sign data. As all management of keys is done automatically, it is necessary for the keypair to be stored on the SEMS.
SCKM (Server Client Key Mode)
SCKM allows the user to create and manage the key at the Symantec Encryption Desktop (PGP Desktop) client and to incorporate both client and SEMS. Keys are generated on the client and uploaded to SEMS. Private encryption subkeys are stored on both the client and SEMS with the private signing subkeys only stored on the client.
SCKM allows for separate signing and encryption subkeys, comparable to X.509 signing and encryption keys.
This key mode ensures compliance with laws and corporate policies that require that the private signing key is only managed by the end user and cannot be stored on the server. In this keymode the private encryption key is stored on the client and the server. If a user deletes the keypair locally, the private portion used to decrypt data is still on the server--only the signing portion is lost.
This key mode is compatible with Smart Cards as long as the key is not generated directly on the Smart Card.
NOTE: An important aspect of key management is key renewal. For key renewal considerations, please review the KB TECH205541.
Login to Subscribe
Please login to set up your subscription.
Get support for your product, with downloads, knowledge base articles, documentation, and more.
Maximize your product competency and validate technical knowledge to gain the most benefit from your IT investments.
Set default language
Do you wish to save this as your future site?