Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)
search cancel

Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)

book

Article ID: 153245

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Gateway Email Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Broadcom offers many different products, each with its own licensing requirements. Some Symantec Encryption products use a licensing system to enable product functionality for purchased products, while others do not.

This article outlines the licensing concepts and explores licensing scenarios to help clarify if you are using licensing in the way your "paper license" outlines.

 

Symantec Encryption functionality may be fully or partially disabled until a valid license number is entered. The process of entering a license number into Symantec Encryption software is called License Authorization and enables one or more seats (or users) of Symantec Encryption software.

Sample License Number:
DWDK0-ABCD-12345-ABC12-ABCDE-123

Symantec Enterprise Division reserves the right to audit systems for licensing compliance as per the End User License Agreement.

Resolution

 

Section 1 - Symantec Endpoint Encryption (SEE)

Symantec Endpoint Encryption Management Server (SEE MS)
Symantec Endpoint Encryption Drive Encryption (SEE Drive Encryption)
Symantec Endpoint Encryption Removable Media Encryption (SEE RME)

Symantec Endpoint Encryption Management Server can be installed on as many systems as is needed without additional licensing.

SEE MS manages systems encrypted with Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption.

Symantec Endpoint Encryption license meter is per device such as the number of laptops or desktops to be covered.  


Example 1: If SEE Drive Encryption is installed on 100 systems, then a license for 100 seats would be needed. 

Example 2: If an additional 50 seats was installed with SEE RME, then another 50 seats would be needed for a total of 150 seats needed.

As of this writing, Symantec Endpoint Encryption products do not employ the use of a license number as do the rest of the encryption products in this document.

 

 

Section 2 - Symantec Encryption Products (PGP)

Symantec Email Encryption 
Symantec File Share Encryption 
Symantec Drive Encryption

All of these PGP Desktop features listed above are licensed per user, meaning individual users actively using the PGP Desktop software either on the same system or any profile on the same system. 
The exception to this rule is Symantec Drive Encryption, which is licensed per device.


Example 1: One user on one or more profiles per system must purchase one copy of PGP Desktop.

Example 2: Two users on one or more profiles per system must purchase two copies of PGP Desktop.

Example 3: One user wanting to use PGP Desktop on five different computers must purchase five copies.

Example 4: Symantec Drive Encryption enables a user to encrypt the entire hard drive of a computer. After the system has been encrypted, the system cannot be booted until a passphrase (password) has been entered. In some cases, this is the only encryption functionality that will be used.

Symantec Drive Encryption will allow multiple users to be added to the software to boot a system.  In this scenario, only one license per system\device is required. This applies for Administrators wanting to add themselves to the Symantec Drive Encryption software (See the screenshot below to see the Drive Encryption shelf). If any additional features are used, such as individual file encryption or Virtual Disk, each user taking advantage of these features requires an individual license.

Example 5: Email Decryption only: Symantec Encryption Desktop (SED/PGP Desktop) has the ability to encrypt and decrypt emails.  When the license term ends for Email Encryption, previously encrypted email content can be decrypted with PGP Viewer on an email-by-email basis.  In the event that PGP Viewer cannot be used, Symantec Enterprise Division allows customers to decrypt messages that were previously encrypted as long as a license for other PGP Desktop features are currently owned. 

For example, if Symantec Drive Encryption and Email Encryption was previously purchased, but only Drive Encryption is renewed, you may continue to use the email piece to decrypt emails only.  No further emails can be encrypted with the PGP Desktop client.  Broadcom requires the mail policies be configured such that no future email will be encrypted.   These mail policies may be needed to be modified on the PGP Server (Symantec Encryption Management Server), or as a standalone client.  For help in how to do this, please contact support. 



Section 3 - PGP Server (Symantec Encryption Management Server)

A few scenarios exist for licensing with PGP Server/Symantec Encryption Management Server (SEMS):
1. PGP Server with PGP Command Line Integration (KMS)
2. PGP Server - Gateway Email Deployment

Other scenarios exist, such as PGP Desktop clients, but when any PGP Desktop solution is purchased, the PGP Server (non-mailflow, non-KMS SKU) is automatically provided.
In other words, the PGP Server will manage the PGP Desktop clients and the only additional SKU needing to be purchased is for KMS functionality, or WEP/PDF Messenger functionality.




     Example 1 - PGP Desktop Clients (Symantec Encryption Desktop Clients Managed by the PGP Server):

PGP Server includes the ability to manage users on the server or centrally manage individual PGP Desktop clients centrally.  PGP Server allows Administrators to lock down PGP Desktop policies.

The central management functionality is a bundled SKU which includes both the client and server functionality.  The amount of seats needing to be purchased depends on the amount of clients needing to be installed.  If 100 users need to install PGP Desktop, this SKU automatically includes 100 seats of PGP Server for client management.

At the time of this writing, a license must be entered to enable features of PGP Server.  No license number is needed to be entered on the server to enable client functionality.  When additional seats of PGP Desktop are purchased, there is also no need to update a license key on PGP Server.
 

 

     Example 2 - PGP Server (Symantec Encryption Management Server) for Gateway Email Encryption Only

When PGP Server is used to only encrypt email in the mailstream, the server is licensed per user.  If 100 internal users exist on the PGP Server, then 100 seats must be purchased.

A license must be entered to enable the mail functionality of PGP Server. 
 

Note on Clustering: PGP Server has the ability to share/replicate information to other PGP Servers--this process is called clustering. In clustering, multiple PGP Servers are used. Broadcom does not limit the amount of clusters for licensing purposes that can be used within the environment as long as the user count does not exceed the quantity of licenses purchased (the technical limitation is 6 nodes).

Note on Licensing Counts and Compliance: Although this article describes how the software is licensed and includes scenarios to help clarify how the licenses are counted, PGP Server does not currently provide a method to determine an exact number of licensed seats currently in use. This feature is being reviewed.  To be added to this feature request, please reach out to Symantec Encryption Support for further guidance.  There are several reasons for this, but two of the most common are as follows:
 

Managed User Scenario: This means that a user who may not necessarily be with the organization any longer, could still appear on the PGP Server.  PGP Server would count this user against the total amount of Internal Users, however the user technically is not using a licensed seat. Users (and Devices) on PGP Server are never removed unless an Administrator does so manually.

Managed Device (Machine) Scenario: A user may acquire a new machine, and could list two machines on PGP Server.  One machine may be retired, reimaged, and may no longer be in use, and the new machine would appear as an additional device.  Technically, for PGP Drive Encryption, this would count as two seats, however on paper, only one seat is being used.

Due to the above scenarios, and possible other scenarios, checking for counts on PGP Server for licensing compliance is not a reliable method to know how many seats are in use.  For compliance reasons, it is best to keep track with your own software management solution, such as Altiris/IT Management Suite, to query actual machines to see on which machines the PGP Desktop is installed.

 

 

     Example 3 - Web Email Protection or PDF Messenger with a PGP Server (Symantec Encryption Management Server for Gateway Email Encryption Only)

When the PGP Server is used to encrypt email in the mailstream, the server is licensed per internal user.  If 100 internal users exist on the PGP Server, then 100 seats must be purchased.

Web Email Protection or PDF Messenger are features that allow an internal user to send to an external user in a secure method, even if the recipient does not use a PGP Key or certificate.
This functionality is quite convenient to be able to send sensitive data, such as invoices to an external recipient where confidential data must be transmitted and can be used in an "Unlimited" basis at the time of this writing.
The unlimited term means that any valid internal user can send to any number of external users via Web Email Protection or PDF Messenger without any regard for how many external users there may be.

This offers exceptional value to the ability to send encrypted content.  

 

Section 4 - PGP Command Line 


Production Machines VS Non-Production Machines
Symantec PGP Command Line is licensed per physical Machine and how many CPUs/processors/cores are being used

CPUs/processors/cores refers to the number of physical/virtual CPUs on a system.

Important Note: CPUs with multiple internal processing units or cores each count as a CPU as this allows for multithreaded processing to take place, which in turn provides better processing power for PGP Command Line.
PGP Command Line is a powerful tool so the more CPUs you assign to a system, the more encryption/decryption routines can run simultaneously.

PGP Command Line does not license per "Logical processor" or "threads"--only CPUs/Cores/Virtual Processors

 

Each copy of PGP Command Line purchased entitles you to install on one production machine (that handles all your encryption/decryption for your business on a day-to-day basis) and one non-production machine (that is used to develop scripts for testing, but never handles production data for encryption/decryption).

This means if one 2-CPU license is purchased for PGP Command Line, it may be installed on the production box that is handling all encryption/decryption processes that has 2 CPUs (Or 1 CPU with 2 cores), and another system that is not handling production encryption/decryption.

The non-production box may be a failover box or a test box, but may not perform any encryption/decryption related to business encryption/decryption.

If you have 1-Production Server (handling active data), and 1-Production Server (that is on Standby for redundancy), and 1-non-production server (to develop scripts and testing), this would require 2 licenses of PGP Command Line.
Then you would have the ability to install on 2 Production servers and 2 Non-production servers. 

Example 1: If a computer has one or two physical processors, a 2-CPU license is required.

Example 2: If a computer has up to four processors, a 4-CPU license is required, and so on.

Example 3: If a 1-CPU processor has 4 cores, then a 4-CPU license would be needed. 

Example 4: If a system has 4 CPUs, and 4 cores each, then a 16-CPU license would be needed.

 

Virtual Processors VS Physical Processors (CPUs/Cores):
Virtual machines are able to exist on a host server in which resources are allocated virtually.  This means the host could have 100 CPUs in total, but it is possible to partition out virtual resources.
For example, although the host machine could have 100 physical CPUs/Cores, the virtual machine could be allocated 22 virtual CPUs or Cores.  


 
For example, the first screenshot below is the physical CPU on the Windows Server that hosts the Virtual machines. 
It has a single processor and 4 cores.  If PGP Command Line was installed on this system, a 4-CPU license would be needed:

However; in the example above, this is the host machine and we are going to install this on a "Virtual" machine (not the host).

In the Virtual machine that is on the host from above, we have allocated only 2 processors to the virtual machine:

Logging in to the Virtual machine, we can see that the machine sees two "Virtual processors", which is the same thing as actual cores of the CPU:

As you can see above, there were two processors allocated to the virtual machine and "Virtual processors" shows "2".

When running the "pgp --version -v" command, we can see the output shows that 2 CPUs were detected, and this is the correct CPUs allocated to the system:

Note: if you are seeing a discrepancy to the above, please reach out to Symantec Encryption Support for further guidance.

 

Splitting VS Stacking:
If you own a 32-CPU license, you could use this on the 22-CPU system, but you could not "Split" the 32-CPU license for multiple servers. 
For example, you couldn't use 22 CPUs from the 32, and then 10 CPUs for another server.  The license agreement is per server and does not allow for splitting.

The PGP Command Line license does allow "Stacking"--if you own 1 license for 8-CPUs and another for 4-CPUs, you could install this on a single production server that has up to 12 CPUs/Cores.
You have just stacked the 8 and 4 CPU licenses.

NOTE: If you owned a license for 8 CPUs and you need to add on 4 more CPUs, once you have purchased the 4 CPUs, you can then increase the CPUs on your system to 12 CPUs.
There is no need to enter a new license number once the new 4-CPU license has been purchased as this is considered a "Paper" license. 

 

 

Section 5 - Licensing for Terminal Server or Citrix Environments

Various PGP Desktop (Symantec Encryption Desktop) functionality can be used in Terminal Server or Citrix Server environments.  In Terminal or Citrix Server environments, the applications are installed on the server itself and any users logged into this server can access the application installed.  Due to the nature of these environments, PGP Desktop is managed quite differently than in normal environments. The Encryption software is licensed per-user on the Terminal or Citrix Server and not by how many users are using the Symantec Encryption Desktop.

Example: PGP Desktop is installed on a Terminal Server that has 100 users; however 25 users are currently using Symantec Encryption Desktop. In this scenario, 100 copies must be purchased, because all users on the server have the ability to use the Encryption software, whether it is used or not, so this is for "Potential Use". 

The only exception to this, in Citrix environments, is a technical restriction that has been enforced on the Citrix Server. In other words, only those users who are licensed to use PGP Desktop have the ability to use any encryption functionality. To enforce a technical restriction in a Citrix environment, NTFS Permissions should be modified on the Citrix Server to remove Execute access for the Program Files folder so that only licensed users can open PGP Desktop. In addition to restricting execute access, other restrictions should be put in place so that PGP Desktop does not startup when a user logs into an account and the menu items are not available.
 

Due to the nature of licensing with Terminal Server or Citrix environments, licensing is per user on the Terminal or Citrix server where Symantec Encryption Desktop is installed as is listed in the example above. The only exception to this licensing is by implementing a technical lockdown of the Symantec Encrypt in Desktop software for non-licensed users in this type of environment. This means the non-licensed users are technically unable to utilize any features. When such a technical lockdown has been implemented, Symantec will only require licenses for the users who will be using Symantec Encryption Desktop and are legally authorized to do so.

 

Additional Information

193931 - How to download Symantec Encryption products from the Broadcom download Portal

206503 - How to find your license number for Symantec Encryption products

175951 - How to license Symantec Encryption Management Server

276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12 and above

180234 - How to: Enter your license information for PGP Command Line

180213 - How to: Enter your License information for PGP Encryption Desktop (Symantec Encryption Desktop)

 

153245 - Symantec Encryption Product License concept - How are Symantec Encryption Products licensed (SEE and PGP)

153399 - PGP Command Line license displays as "Invalid" on VMware systems