This article includes a technical document detailing guidelines when using an ADK. An additional decryption key (ADK) is a key generally used by security officers of an organization to decrypt messages that have been sent to or from employees within the organization.
Additional Decryption Keys (ADKs) are created as an additional method to decrypt content where decryption by the intended recipient may not be possible. The holder of the ADK, and corresponding passphrase will allow any content to be decrypted as long as the data was encrypted to this key.
ADKs can be enforced on an Organizational Level, and a Consumer Policy Level. When enforced via the Organizational Level, the ADK applies to all users. When enforced on the Consumer Policy level, the ADK applies to only those users who are part of the applicable policy.
As a best practice, it is recommended to create ADK on a standalone Symantec Encryption Desktop client. By Standalone, the client is not managed by the Symantec Encryption Management Server (SEMS) for policy assignment. An individual license number is entered, and there is no aspect of the SEMS that controls policy for that key, and subsequently, influence the behavior of the keys.
The reason for using a Standalone client is the ADK should have no association to any other keys in the organization. The ADK is created w/out an expiration date and is not created as per policy, but acting as its own key. Once the ADK is created on the Standalone client, this will ensure no other factors can affect the key.
Keys generated on the standalone client are, by default, set to never expire. Keys that are created when being managed by the server have the potential for having expired signatures because there are no clients that are enrolled with this key.
Choose an appropriate keysize for the organization--at least 2048 is recommended.
If splitting the ADK, please take special care with the conditions as once the ADK Keypair is split, the Keypair is no longer usable until re-joined. For example, if the key is split into 3 shares, and 2 are required, if only one user is able to enter his\her credentials, the keypair cannot be joined.
Always take special care to make backups of the ADK, ensuring the Keypair (Both Private and Public) is being backed up, not only the Public Key.
Fixing an ADK, due to Signatures, other ADKs on the key, etc.:
Setting Expired ADKs to Never: Import the Key Pair into a standalone client of Symantec Encryption Desktop. Once the Key Pair is imported , double-click the key to open the key properties. Click on the "Expiration" field of the key and set it to "Never". Click okay to save the changes and enter a passphrase to confirm the changes.
Removing ADKs on ADKs: Open the key properties again, and on the bottom of the page, click on the ADK bar to see if there are any other ADKs associated to this ADK. If there are ADKs on the key, delete them from the list. ADKs should not be associated to any other ADKs. Being a Standalone user, it is possible to remove the ADK from the key if you know the passphrase. Enter passphrase when prompted and click okay to save the changes.
Deleting Expired Org Signatures on ADK: Expand the key by clicking the plus sign and if there is a signature from your Org Key, go ahead and delete it. The signature icon looks like a little pen with a globe on it. This will make the key so that it is unassociated to any other keys.
Remove Preferred Keyservers on ADK: If there is a preferred Keyserver on the key, remove the entry for the existing server so it is blank. Once all these steps have been completed, the ADK should be ready to now be uploaded back to Symantec Encryption Management Server.
The purpose of the ADK is to ensure there is a means of decrypting data. When the ADK is uploaded to the Symantec Encryption Management Server, it is automatically signed by the Org Key--this is normal, however, it should not be signed as part of an Enrollment procedure on a Managed Client.
NOTE: An attached Guidelines Document is available for general review. Some of the information in the document may no be completely accurate as far as general guidelines, however the steps to perform Key Generation, Splitting Keys, Joining, etc., can still be used.