PGP Encryption Desktop Offline Behavior with the PGP Encryption Server
search cancel

PGP Encryption Desktop Offline Behavior with the PGP Encryption Server

book

Article ID: 153217

calendar_today

Updated On:

Products

Desktop Email Encryption

Issue/Introduction

This article describes what happens to a customized Symantec Encryption Desktop (PGP Desktop) client if a Symantec Encryption Management Server (PGP Server) is offline or otherwise unavailable.

For information on what the PGP Server does if cluster members are unavailable, see the following article:

153198 - PGP Server Offline Behavior (Symantec Encryption Management Server)

If a PGP server is unavailable for a time, there are critical features that may not be available.  This risk can be reduced by using Load Balancing so that if one PGP server goes down, the load balancer will redirect the PGP Desktop client to the other server that is still online.  For more information on this topic, see the following articles:

156803 - Using DNS Round Robin and Load Balancers, Front-End Security Applications and Reverse Proxies with Symantec Encryption Management Server

180244 - HOW TO: Download Encryption Desktop Client Installers in Symantec Encryption Management Server

Resolution

When communication with the PGP Encryption Server is lost, certain functionality with the PGP Encryption Desktop software may be lost as shown below. 

PGP Encryption Desktop Email 

PGP Encryption Desktop's Email Encryption feature synchronizes with the PGP Encryption Server mail policies. 

Even if the PGP Encryption Server is not processing email, the server acts as the policy server for email encryption and communicates to the PGP Desktop Email client how to encrypt email.

If the PGP Encryption Desktop Email client is unable to communicate with the PGP Encryption Server for policy, the PGP Messaging logs will display errors similar to the following:

The error indicates PGP Encryption Desktop Email could not communicate with the PGP Encryption Server for policy (keys.example.com is the Management Server in this example):

11:28:28Error Unable to establish SOAP communication with keys.example.com
11:28:28 Info Processing outgoing message from User1 with subject: PGP TEST
11:28:28 Warning Server keys.example.com not responding; will wait 15 minute(s) before trying again

At this point, the PGP Encryption Desktop service counts down from 15 minutes before re-attempting to contact the PGP Server for policy, this avoids constant traffic from PGP Encryption Desktop Email to the PGP Server while the PGP Server is unavailable.

If attempting to resend the message within the 15 minute countdown timeframe, the PGP error will be displayed again and the messaging logs will display the remaining minutes before contacting the PGP  Server again for policy:

11:42:04 Info Processing outgoing message from User1 with subject: PGP TEST
11:42:04 Warning Server keys.example.com not responding; will wait 2 minute(s) before trying again

If attempting to resend and the PGP Encryption Server is still unavailable, the messages will not be sent.

The messages can be saved in Drafts and then re-sent once the PGP Encryption Server is up and running at which time all the messages will send properly after the 15 minute count down has been reached:

12:31:33 Info Processing outgoing message from User1 with subject: PGP TEST
12:31:33 Info SDK Notification: other
12:31:33 Info SDK Notification: other
12:31:34 Info Successfully synchronized policy with keys.example.com
12:31:35 Info Encrypting PGP Partitioned message to [email protected] with key(s):
12:31:35 Info 'User1 ' (0x123456789)
12:31:35 Info Signing PGP Partitioned message with key 'User1 ' (0x123456789)


Note: If the PGP Encryption Server is subsequently brought online within the 15 minute countdown, the message will still not send until after the 15 minute countdown for that specific email. This 15 minute countdown will not apply to new email--compose a new email to bypass the countdown and send the email immediately.

Outlook Behavior with Sent Folder: The PGP Encryption Desktop client can also think it is online if the last policy update interval has not yet happened again since going offline. This can affect how Outlook behaves with how email shows up in the Sent folder and the timestamps.  For example, if the PGP Encryption Desktop client has an update-policy interval of 24 hours, and the message is sent offline, but has not yet tried to check in with the PGP Encryption Server, the message may appear in the Sent Folder.  If this is the case, the timestamp may show when the message first appeared in the Sent folder, not when the message is actually sent when the system is online again and leaves the outbox.  

To avoid this issue, if you think you will have this scenario happen more frequently, increase the policy-update interval to happen more frequently.  If you are commonly going offline and sending a message, consider how soon you could send an email.  If this is done immediately, you may consider creating a policy that will update every 1 minute.  When the client checks in, and the PGP Encryption Server detects it can't get policy and is offline, the messages will simply stay in the Outbox and not appear in the Sent Folder.  This will then produce a timestamp of when you send the next time you're online.
EPG-33831

For further guidance, please reach out to Symantec Encryption Support and mention this article as reference. 



In addition to the above, "Default: Standalone" policies can be invoked to allow email encryption in some cases.  To see how you have these policies configured, see the following screenshot for the PGP Encryption Server:

Also, consult the Consumer Policy in question to see what the PGP Desktop client is configured to do in the event that it goes "Offline":

(In the SEMS console, Consumers > Policy, then Desktop Settings, then Messaging)

As you can see above, there are several policies that can kick in, including the ability to Block messages, which is the most secure way to do encryption if the PGP server is not available.  This will mean that sending encrypted content will not be possible until the PGP Server is brought back online. 

Again, please see the "Outlook Behavior with Sent Folder" note above to understand how best to minimize issues while offline should this take place.

 

PGP Drive Encryption

If PGP Encryption Desktop's Whole Disk feature is the only feature being used and the PGP Encryption Server is unavailable, the PGP Whole Disk Encryption client will not be able to retrieve policy as expected.
Any keys that need to be obtained from the PGP Server for file encryption will also not be available.

PGP Whole Disk Recovery Tokens (WDRTs) will still work if needed, however once the end-user enters the WDRT at SED Bootguard (PGP passphrase prompt during bootup), a new WDRT will not be generated and an error will be displayed.

"A new Whole Disk Recovery Token could not be generated because the Administrative Server is not available"

The WDRT will still work until the PGP Encryption Desktop client is able to contact the PGP Encryption Server. Once the PGP Server is available, a new PGP Whole Disk passphrase can be created and a new WDRT will then be synchronized with the PGP Server.

Note: If you do need to have Whole Disk Recovery Tokens available even if offline (even for new clients, reach out to Symantec Encryption Support for further guidance.
There is Symantec Endpoint Encryption, which builds in "Connectionless" recovery, which makes it entirely possibly to recovery machines (even new machines) when a server is unavailable. 
For full feature comparisons, including information on recovery, see the following articles:

162352 - Symantec Endpoint Encryption Help Desk Recovery (Challenge Key Recovery - Connectionless Recovery)

258513 - Symantec Endpoint Encryption Help Desk Recovery (Connected Recovery - SEE Client connected to the SEE Management Server)

151074 - Symantec Endpoint Encryption and PGP Encryption Solutions Comparison

201122 - How Symantec Encryption Products stand out above the competition

 

PGP File Share Encryption

If PGP File Share Encryption is the only functionality being used, the ability to add users to a network share/folder using LDAP Groups is unavailable.

PGP File Share Encryption Group Keys are also not available for this. Fortunately, this is not a frequent occurrence. 

Any keys that need to be obtained from the PGP Server for file encryption will also be unavailable so it is important to bring the PGP Encryption Server online as soon as you can.

All PGP File Share Encryption authentication will work as normal if "local" or "user" keys are being used and access to PGP File Share encrypted folders will be the same as if online.
PGP File Share functionality will still work as long as the public keys are available from the PGP Desktop local keyrings.
Although Group Keys require the PGP Encryption Server, Group keys are the recommended method for encryption as it makes user management seamless.

 

 

Additional Information

153198 - PGP Server Offline Behavior (Symantec Encryption Management Server)

248101 - PGP Offline Policy: Messages Blocked in Outlook if the PGP Client cannot reach the PGP Server