This article explains the key modes available for usage with Symantec Encryption Desktop (formerly known as PGP Desktop) when managed by a Symantec Encryption Management Server (SEMS, formerly known as PGP Universal Server). The description of each different key mode of PGP Keys provides the advantages, usage, and applicability of each key mode.
The SEMS (PGP Universal Server) provides four separate key modes for usage with Symantec Encryption Desktop (PGP Desktop) clients. These key modes are CKM,GKM,SKM, and SCKM. The following is a detailed description of each key mode that introduces its applicability and suitable usage. SEMS 3.0 and above incorporates new functionality with SKM keys, which has improved behavior often referred to as "Offline SKM". See below for further details:
CKM (Client Key Mode)
A CKM Key's biggest advantage is that only the end user has the private key and passphrase of the key. The user is in complete control of the private key and SEMS only has the public portion of the key. This mode is for experienced users who may have high security requirements, or in decentralized deployments in which the server must not manage the private key for the user.
When selecting to use a CKM key, all management and backup of the keys are done on the client computer. A CKM key is generated and managed only by Symantec Encryption Desktop (PGP Desktop) on the client computer.
- A CKM user is generally responsible for backup of their PGP keys. If a CKM user loses their private key, the key is not recoverable and all data encrypted to the key will be lost (unless Key Reconstruction is enabled on the SEMS beforehand).
- A CKM key processes all encryption and decryption at the PGP client.
- Symantec FileShare encryption (formerly known as PGP NetShare) supports the use of a CKM key.
- As the key is protected by a passphrase on the Symantec Encryption Desktop client, if the passphrase is forgotten, all encrypted messages and files encrypted to the key will remain encrypted (unless Key Reconstruction has been enabled beforehand).
GKM (Guarded Key Mode)
A GKM key is similar to a CKM key in its benefit of encryption and decryption that occur on the Symantec Encryption Desktop client. However, one advantage the GKM key has over a CKM key is the ability to store a passphrase-protected copy of the keypair on SEMS. As long as the user knows the passphrase of the key, the SEMS stores a backup of the key and is available for recovery if needed.
- GKM Users manage their keys on the Symantec Encryption Desktop client.
- GKM keys process all encryption and decryption at the Symantec Encryption Desktop client.
- Symantec FileShare encryption (PGP NetShare) supports the use of a GKM key.
- GKM keys store a passphrase protected copy of the key on SEMS.
- In cases where a key has been lost or corrupted, GKM keys can be restored from SEMS as long as the user knows the key passphrase.
SKM (Server Key Mode)
SKM keys are generated and managed on SEMS. SKM keys are automatically managed for the user by the client and SEMS--no user intervention is needed to use SKM keymodes and no passphrase needs to be entered in order to decrypt and sign data. As all management of keys is done automatically, it is necessary for the keypair to be stored on the SEMS.
- If no Symantec Encryption Desktop clients are used, and SEMS is deployed in the mailstream, SEMS will handle all encryption and decryption routines. If only Symantec Encryption Desktop is being used, SEMS stores the private key, but the client has access to the private key when it is needed for signing or decrypting operations.
- In older versions of the encryption software, SKM users do not have the ability to read encrypted e-mail offline or sign data offline. With versions 3.0/10.0 and above, a new feature called Offline SKM was introduced. Offline SKM allows users access to the private key, even when the Symantec Encryption Desktop client cannot communicate with SEMS. With Offline SKM, the keypair is always available on the client.
- Starting with version 10.0, SKM keys that previously could only be used for messaging, can be used for all other Symantec Encryption Desktop encryption actions. This includes encrypting disks and files, and decrypting MAPI email messages. Symantec FileShare (PGP NetShare) 10.0 cannot be used with SKM. Starting with version 10.1.0, SKM is fully compatible with Symantec FileShare (PGP NetShare).
- In Offline SKM mode, the private key is stored on SEMS, as well as the client, however when the SKM key is on the client, it is protected with a random passphrase that is unlocked when the user authenticates when logging in to their Windows account.
- In an environment where the Symantec Encryption Desktop software is not installed, SKM keys must be used.
- Symantec FileShare (PGP NetShare) is supported with SKM keys on SEMS (PGP Universal Server) 3.0.1 and above. If SKM is used on clients before 10.2, if no communication to the SEMS is available, the private portion of the key is not available to the client and decryption cannot occur. Starting with Symantec Encryption Desktop 10.2 and above, Offline SKM (known only as SKM on SEMS configuration) makes the private key available to the client, even when offline, making it possible to use this keymode for any encryption feature, including Symantec FileShare encryption (PGP NetShare).
- SKM is the ideal keymode for most deployments, especially for deployments that are Whole Disk Only and keys are not needed in general for file encryption, FileShare encryption etc.
SCKM (Server Client Key Mode)
SCKM allows the user to create and manage the key at the Symantec Encryption Desktop (PGP Desktop) client and to incorporate both client and SEMS. Keys are generated on the client and uploaded to SEMS. Private encryption subkeys are stored on both the client and SEMS with the private signing subkeys only stored on the client.
SCKM allows for separate signing and encryption subkeys, comparable to X.509 signing and encryption keys.
This key mode ensures compliance with laws and corporate policies that require that the private signing key is only managed by the end user and cannot be stored on the server. In this keymode the private encryption key is stored on the client and the server. If a user deletes the keypair locally, the private portion used to decrypt data is still on the server--only the signing portion is lost.
This key mode is compatible with Smart Cards as long as the key is not generated directly on the Smart Card.
- The public and private encryption subkey is on the server, but by default encryption and decryption is not performed on the server.
- The public-only signing subkey is on the server. SEMS cannot sign email for the user.
- Mail processing must take place on the client side in order to use the SCKM signing subkey.
- SEMS Gateway Email allows email encryption and decryption with SCKM keys, but email will not be signed (decryption must be enabled manually on SEMS for this keymode).
- SCKM is compatible with smartcards, but encryption keys will not be generated on the token. Copy the keys onto the token after generation.
- If an SCKM user resets their key, the entire SCKM key is revoked, including all subkeys, and remains on SEMS as a non-primary key for the user. This non-primary key can still be used for decryption, and will remain on the PGP Universal Server until manually removed by the administrator.
- It is recommended to only use this keymode if mandated by law to do so, as it does have limitations as stated and can make managing keys more complicated.
NOTE: An important aspect of key management is key renewal. For key renewal considerations, please review the KB TECH205541.