PGP Encryption Desktop Email Encryption attempts to encrypt every outbound message (Opportunistic Encryption)
search cancel

PGP Encryption Desktop Email Encryption attempts to encrypt every outbound message (Opportunistic Encryption)

book

Article ID: 154056

calendar_today

Updated On:

Products

Desktop Email Encryption

Issue/Introduction

By default, an unmanaged or "Standalone" client (A PGP Encryption Desktop that does not communicate with a PGP Encryption Server) installation of Desktop Email Encryption will try to encrypt all outbound messages if it can.

If you are blocking port 389 or 636, keyserver lookups may fail, causing further delays.

This article will discuss both of the scenarios above.

 

Environment

Symantec Encryption Desktop 10.5 and above.

Cause

Opportunistic Encryption
By default, PGP Encryption Desktop uses an "Opportunistic Encryption" rule by default.

This means that if a PGP key for the recipient can be found, the message will be encrypted.

The assumption is made that if there's a key, you should encrypt to that key.  

 

Keyserver Key Lookup Delays
There is a delay while Desktop Email Encryption tries to lookup keys on the local keyring, the PGP Global Directory and any key servers that the user added themselves to the key server list.

The key lookup on the PGP Global Directory is done using LDAP (port 389). In a corporate environment, outbound LDAP connections will almost certainly be blocked and this causes delays in sending mail.

Resolution

Although encrypting your confidential data is critical to protect your privacy, there may be cases where you are encrypting only specific emails.
Opportunistic 

 

There are two ways to avoid using the Opportunistic Encryption Rule:

1. Disable Opportunistic Encryption completely.
2. Move the rule all the way to the bottom so that other rules will be evaluated first.

Disabling Opportunistic Encryption is a much easier solution and puts the end user in control of which messages are encrypted.
If this is done, you will need to make sure other conditions are met when securing your data. 

1. Open PGP Encryption Desktop.
2. Click on PGP Messaging from the left side menu.
3. Click on the relevant messaging from the left side of the pane.
4. Under Security Policies, click the Edit Policies button.
5. To disable Opportunistic Encryption (default), simply uncheck the box.

If you want to use it, but match other rules first, select Opportunistic Encryption and click "Move Down" until it is listed at the bottom.

6. Click the Done button.

After disabling opportunistic encryption, the other rules in the list will still apply. For example, you can force encryption by including [pgp] in the Subject of an outbound email or classifying the message as company confidential.

There are many other ways to trigger encryption with conditions and rules.

 

Keyserver Key Lookup Delays

Keys that are in the local keyring are quickly used for Encryption, but there may be a delay while PGP Encryption Desktop Email Encryption tries to lookup keys at a public keyserver, such as the PGP Global Directory  

The key lookup on the PGP Global Directory is done using LDAP port 389, or if configured, LDAPS 693 (LDAP Secure TLS).

In an enterprise environment, outbound LDAP connections are typically blocked and could cause these delays in sending mail.

In a corporate environment, enabling outbound LDAP connections will involve updating firewalls. In general, this is not a practical resolution but it would enable keys to be searched in the PGP Global Directory.

If you do not want keyserver lookups to be done, click edit on each of the rules in your list, and deselect this option.  In this example, we'll click "Edit Policy..." for the Opportunistic Encryption rule:

As you can see above, "If a recipient's key is not available" (In your local keyring), "Search keys.domain and keyserver.pgp.com" is then used.
This will cause additional keyserver lookups.  To stop this from happening each time if you are blocking 389 or 636, you will need to decide which action to take if a key can't be found.

If a Key cannot be found, is it going to be acceptable to send the message unencrypted? Or, is it better to block the message.  You will want to determine which action to take and select the option that works for you and your security:

Search - This will give you a chance to search specific keyservers.

Clear-sign message - This will sign the message with your own PGP Key, but will send the message unencrypted.

Send message unsecured - This will send the message unencrypted and will not attempt any keyserver searches.

Block message - This will block the message so you can find the user's key, import into your keyring and then send again to encrypt.

 

 

For further guidance, reach out to Symantec Encryption Support