Symantec Encryption Product Community

Symantec Encryption Server Version is 3.3.2 MP1 .

I've installed Desktop Client (10.3.2.15337) on windows server 2008.

Key mode: GKM

Can I decrypt the files automatically?

When I receive a file encrypted to the public, I'd like to decrypt it automatically rather than manually.

Hi Mehmood,

The GKM implies that the server doesn't know the passphrase to unlock the private portion of the key. If it would be known of the server, this key would become SKM.

Are you attempting the server to decrypt the file on arrival as part of an email? Or some other process?

Rgs,
dcats

Hi Dcats,

We have encrypted file, which we tranfer to the desktop client machine through SFTP.

What we want to achive is, when the file is stored on this desktop client, the decryption process should begin automatically.

There is no email encryption involved.

Hello Mehmood,

Can you provide more information about the encrypted files and there work flow.

How they are encrypted?

Do you transfer these files using any automated application?

Hi Arif,

The file encrypted to user key key is received via SFTP. 

Then the user decrypts the file manually, by entering the PW as the key is GKM.

The sender is outside the domain & uses GPG.

So If I am correct end user decrypts the file using PGP viewer or PGP Zip functionality in Symantec encryption desktop. We cannot automate this process in Symantec encryption desktop, End User will have to decrypt these files manually.

If the end user has PGP command line they can use batch script to decrypt these files after download from SFTP.  

(Note: PGP command do work parallel with Symantec encryption desktop on same system if configured correctly.)

Let me know in case of any queries.

The user decrypts the pgp zip file manually.

It would be feesible if we were able to automate this process through Symantec encryption desktop.

Yes, U r right we can achieve this through command line.

Automation in Symantec Encryption desktop won’t be feasible/tricky and not recommended by Symantec support. I would test the requirement using PGP command line if possible.

Thanks.

I'm assuming that you are trying to do this with with another organization, or company such as a bank or information sharing partner, and not just the random public. If that's the case, then actually, I believe there is a way to do this using Symantec File Share files (PGP Netshare). IF you:

   1. Both you and the sender have Symantec Encryption Desktop with File Share Encryption (PGP Netshare) licenses

    2. You use Symantec File Share group keys (SKM)

    3. You have a managed key environment (Symatec Universal Server). This may be possible with unmanaged environment, but then keys are stored locally and this is probably not secure for group keys. Also, this bypasses the user's private keys and provides extra security of having the private keys stored only on the management server.

Note this doesn't work for standard PGP files, only PGP encrypted Symantec File Share files. They are different formats, but both use PGP encryption. If you want to do this with the general public or organizations not using Symantec Encryption Desktop with Symantec File Share, then your only option is to script it and store the passphrase somewhere/somehow securely using PGP Command line, or another product. Symantec Encryption Desktop doesn't do this seem to allow a way to do this in an automated fashion.

If what I described above is what you want to do though, here's how:

Sender of file (bank or other company):

1. Purchase Symantec Encryption Desktop (SED) with a Symantec File Share license.
2. Import the public key provided by the recipient and use pgpnetshare.exe or a Symantec File Share with the Recipient’s public key specified as the encryption key for the share to encrypt the file to the recipient.
3. Encrypt the file to the recipient’s key in a Symantec File Share format. Command line is simply: pgpnetshare.exe -e -r “recipient keyid” -s “your keyid” --passphrase “passphrase”
4. Send the Symantec File Share encrypted file to the recipient. Remember to blacklist SFTP from automatically decrypting files in the Symantec File Share policy settings, so the file remains encrypted when the SFTP application sends it.

Receiving side (you, and secure if using a management server to manage the group keys):

1. Purchase Symantec Encryption Desktop with a Symantec File Share license.
2. Set up a group and group key (SKM) on the management server
3. Export and provide the PUBLIC key to the sender of the information.
4. Add users that you want to be able to decrypt files received to the group.
5. When receiving the Symantec File Share encrypted file from the sender, it will be a Symantec File Share encrypted file to your group key. It can be opened by any application running as a user account (service account, or other) that is managed by the Symantec Universal Server that is on the group for that group key.

Additional benefits:

• No need to cache/hardcode a passphrase or keyid. Since keys and access are managed by the server, there is no passphrase required and the client machine never has the key stored on it. Even if compromised, the intruder doesn’t get the private key for later use.
• Ease of management. Add/remove users/accounts access privileges without needing to recode anything. Change keys and provide the new public key to the sender without needing to update code to decrypt that is based on a hard coded key or passphrase!
• No additional coding required to work with your existing applications. Applications will work seamlessly to decrypt files when SED is installed and running as an authorized user of the group. No additional coding required to decrypt the file and send the file data to an application.
• Files remain encrypted, there is no intermediary step required to decrypt the file.
• Have scheduled tasks and automated processes that can now automatically and seamlessly decrypt files without needing to do anything special! Just have the SED client installed and configured to run for the account that runs the scheduled task/automated process. Note, this may require that the account have an active session on the machine to automatically decrypt files as a scheduled task.

I'm not sure about standalone clients as the group private keys would probably reside on the client machine... so I wouldn't recommend that, but maybe someone who uses an unmanaged environment can tweak this for that situation.