Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

ADK delete on SEMS and PGP Desktop

Created: 27 Dec 2013 | 11 comments
m4xx's picture
Hello,
 
my customer have implemented  the ADK in you Consumer Policy to use in a File Share. He lost the ADK's password and he ask to me to change to another AKD.
 
I'm not be able to delete the old ADK on SEMS, see the figure, because there isn't 
the icon (see the red circle).
 
Is there a  mode to delete this key?
 
Furthermore every user, in PGP Desktop, have this keys (about 60 users) and I don't found  a method to delete this key.
 
What do you advise me to do?
 
Thank you 

Comments 11 CommentsJump to latest comment

dcats's picture

Hi m4xx,

You cannot delete the key from there because that key is still in use in a policy.
Simple upload a new ADK in the policies (where the old one was). As soon as the key is no longer associated with a policy you should be able to delete it.
Hth,
dcats

m4xx's picture

Hi,

No it doesn't work.
 
I've tested in my lab. even if I changed the ADK with the new ADK, the old ADK is still here.
This is that I don't understand, the old ADK is in every pgp desktop (see the figure pgpdesktop1) the ADK_Test_new is the old ADK, and the ADK_UPDATE i the new ADK.
 
you can see the figure pgpdesktop2 I cannot delete the old ADK. 
 
Thanks 
 
Massimo
pgpdesktop1.png pgpdesktop2.png
dcats's picture

Hi Massimo,

I meant that it should be possible to delete it from the SEMS interface. If not it's because there is still the ADK flag set for that key in the database. In this case, please contact the Technical Support.

Regarding the removal of the old ADK from the clients, I'm not sure if it's possible and currently I don't have access to a lab environment.

Rgs,
dcats

Anthony_Betow's picture

Hello m4xx,

Can you check the box and scroll down to options and is Delete Selected an option?

The new ADK on the File share access list has the private portion also which this should only be the Public portion.  The new ADK key has to be uploaded to policy and then update client policy.  (Public portion)

Can you give me a screen shot of the ADK key in policy?

Thanks

Anthony

m4xx's picture

Hello Anthony,

yes there is a Delete Selected but doesn't happens nothing if I do.
 
There is the private key because pgpuser14 is the user with which  I've created the ADK keys.
 
I attach the screenshot as you can see now I've put the ADK_UPDATE while before there was the ADK_Test_new.
 
Thank you so much for your support. 
adk.png
m4xx's picture

Hi dcats,

I'm thinking that you are right.
 
I'll tray to delete the users that have the adk key to see if I can delete the ADK on SEMS.
 
Do you know where is the directory the ADK keys?
 
Thank you 
 

 

Rgs 

 

m4xx's picture

Hi dcats,

I was forgetting that I had read in this document

http://www.symantec.com/business/support/index?page=content&id=HOWTO42047

 

Note: When using an ADK on your server, ALL user keys added after the ADK is imported will have an ADK associated with their key. You cannot remove or delete the ADK from a single user key in a PGP Universal Server managed environment.

What do you think about this? is also applicable to my case?

Thanks

Anthony_Betow's picture

The ADK key has to be removed in policy.  The ADK key cannot be removed off a PGP Desktop client because it is enabled in policy.

By the screen shot the delete option is available in policy which this is where you would delete the key and upload a new ADK key.

Remove the key and Save, Update the client policy and the ADK key should be removed.

Upload the new ADK key in Policy and click Save.  Update client policy and the new key should be added to the PGP Desktop Clients.  Upload the Public portion only.

The admin that logs on to the PGP server needs to have SuperUser permissions to make this change.

Thanks

Anthony

 

 

m4xx's picture
Hello Anthony,
 
what you described is what I did.
 
In the same policy had put before the ADK_TEST_new and I created a file share, then I removed this ADK, I saved and updated policies.
 
The ADK has been in PGP Desktop, then I added the ADK_UPDATE and ADK has added more.
 
If I understand what you are saying, I should remove the ADK_UPDATE and therefore should be removed in PGP Desktop, right?
 
Thanks
m4xx's picture
Hello Anthony,
 
I removed the ADK by the Consumer Policy, saved and updated policies, but doesn't work.
 
The ADK is tied to the user's key, I also tried to delete all the files share interconnected with the user.
 
As you can see from Figure 1, I can not remove the adk, neither on the pgp desktop.
 
To remove the user adk I had to delete the user's keys and re do the enrollment at this point the key is clean again, which means I'll have to redo even though the file share as the keys are changed.
 
But I cannot ask this to my customer.
 
I think the best thing is to remove the old ADK and insert a new one that will be added to the old ADK.
 
If you have any other ideas I will be happy to test them on my lab.
 
Thanks
Figure 1.png
Anthony_Betow's picture

Hello m4xx,

I looked into this more and the ADK key that is removed from policy will be left on the PGP Desktop client's key ring.

When you add a new ADK key in policy then this will be added on to the PGP Desktop client's key ring but this new key will be associated with the file share.  The old key will be left behind so this is normal. 

The Admin for the File share just needs to add the ADK key in the File share section of PGP.  This doesn't have to be added in every client.  For example, If a user is not part of the file share anymore and they had files encrypted that they needed the Admin can still decrypt the file because it is encrypted to his\her key also, same with the ADK key.

The users who are part of the policy will get the ADK key because of policy. 

Thanks

Anthony