Using Verified Directory to search for and import external user public keys from Encryption Management Server using PGP Command Line
Last Updated August 30, 2017
PGP Command Line can search for the public keys of Internal users on Encryption Management Server using the LDAP or LDAPS protocol and import them into its keyring. However, it cannot search for or import the public keys of External users.
Encryption Management Server 3.3 or above running the Keyserver service.
PGP Command Line 3.3 or above.
This is by design.
In order to search for and import the public keys of External users with PGP Command Line, there are two options:
Use the USP (Universal Services Protocol) with PGP Command Line as described in article TECH213984.
Configure Verified Directory on Encryption Management Server as described in article HOWTO41985 and use the LDAP or LDAPS protocol with PGP Command Line.
By default, Internal users do not have permission to submit keys to Verified Directory. Verified Directory Users are allowed to submit keys and their default Vetting Method is Email. Change this Vetting Method to Implicit if it will only be administrators who import the external user keys.
As per article HOWTO41985 in order to use Verified Directory, a Verified Directory Key needs to be imported from the Keys / Organization Keys menu of the admin console. For convenience, if the administrators are creating the Verified Directory users, this should be a key that does not expire.
Once the Verified Directory service is configured, the Consumers / Users menu in Encryption Management Server will contain a Verified Directory Users sub menu. From this page, click on the Add Verified Directory Users button to add the public key of external users.
Note that the Verified Directory service runs on HTTP port 80 by default. It allows external users to add their own keys to Encryption Management Server via a web page. If the only reason for enabling Verified Directory is to allow administrators to add external user keys and for PGP Command Line to import those keys, the Verified Directory service can be paused by clicking on the Pause button from the Services / Verified Directory menu of the admin console. So too, the default port can be changed if it conflicts with another service running on the same network interface.
To search for the Verified Directory users using PGP Command Line, use a command like this where symantec.com is the email domain of the user to search for and keys.example.com is the keyserver service on Encryption Management Server. Note that in this example LDAPS is being used for the search but it is also possible to use LDAP: