Video Screencast Help

DLP and PGP integration

Created: 25 Sep 2012 | 14 comments
MiRzA's picture

Dear All,

I am stuck in a practical scenario need to integrate two products for my client, Provide him Presentation on it, POC on it, and i myself need deep understanding of the outcomes. Following are some queries if you can reply and give me refernce links to study on.

how would we integrate DLP and PGP?

What would be the traffice flow then?

How it can be achieved in best way?

What are the best practices in it?

What can be the limitations while integration?

Which components/Features of both products can be intergrated?

Discussion Filed Under:

Comments 14 CommentsJump to latest comment

Ashish-Sharma's picture


Check this artical may be help.

Products that support integration with Protection Center

Thanks In Advance

Ashish Sharma

Kashif Sohail Abid's picture

Is there any diagramateic presentation with which can know that how different Symantec PGP and DLP components are integrated.

ShawnM's picture


There are some variables in some of the situation you are describing which could change some answers, but the below answers are the generic and or more common scenarios.

  • DLP and PGP can be integrated in 2 areas, Netshare and PGP EMail encryption.
  • Netshare will help in securing Discover scan results, whereas Email will help aid in securing information going outside the organization.
  • Best way to achieve it, and the traffic flow, would involve simply configuring the customer MTA to route traffic with an X-Header (X-Encrypt for example) to the PGP Mail Gateway for encryption, which would then route encrypted mail back out the MTA. DLP would simply have a response rule triggered on incidents that will need encryption, to add the X-Header to the email.
  • Limitations of integration are few if nay really. It's really a matter of understanding architecture and appropriately configuring the flow to handle the required flow.
  • The components that would really use the integration, would be DLP Network Protect or DLP Endpoint Prevent and PGP Mail Gateway.

There are other sources as well that some others here have described to help get you further information. You might also want to speak to your Symantec account team to get a copy of the updated 11.6 feature decks which outline the integrations that currently exist. This would probably be the most beneficial information.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

Jana.T's picture


i'm also interested to implement PGP together with DLP, both netshare and email encryption.

i'm just not sure where i can find the right documentation for deployment, as well as necessary infrastructure/hardware prerequisites and licensing.

thank u in advance.




stumunro's picture


here are the hardware specs for  also attachedd are the install guides and admin guide

pgpinstallguide.pdf 474.96 KB
pgpuniversal.pdf 1.89 MB
DLP Solutions2's picture

Does anyone know if it is possible with DLP to inpspect the conternts of a PGP encrypted file. If there is a universal PGP key available to inpect the contents of the file?

Then based on content we can block the email transmission using the headers.

Please make sure to mark this as a solution

to your problem, when possible.

stumunro's picture


at this point no it is not...
DLP is unable to check out keys from the KMS to look at the encrypted data.
take a lokk at the new SYmantec Encryption powered by PGP that came out yesterday...

it is going to incorpate PGP mail into the flow..
hope this helps...

ADILT's picture

Hey team,

I am attempting to do the DLP and PGP Netshare intergration.

Can anyone assist? Has anyone completed this intergration?

To note I am using the ERM service for the SSL communication.

kishorilal1986's picture

Hi Mirza and Adanso,

Please refer below attached docs.

DLP and PGP.rar 650.08 KB
ADILT's picture

K S Sharma,

Thank you for the attachment, but we are looking to do the intergration for encrypting after Discover Scan has identified a file on a Netshare.

From the Enterprise Rights Management Service Implementation Guide, we note the below:

The ERM Service provides the option to use PGP NetShare encryption to encrypt
individual files based on DLP incidents.
Sharma do you have any info on this intergration?
STEPS (quick overview):
- Created Windows ERM Server, joined it to our test domain.
- Logged on as ERM service user with admin rights and logon as service rights.
- Installed PGP Desktop n ERM Server, with ERM service user account.
- Added required net share folders to ERM PGP Desktop.
- Installed ERM services software per (Enterprise Rights Management Service Implementation Guide).
- Configured DLP for scanning file share and encrypting with smart repsonse, Flex response plugin.
When I attempt to use smart response to encrypt a file after the discover scan has located it and deemed it as senstive data, I recieved the error below:
FlexResponse Action Failed
[Protect with PGP NetShare] failed with message: ProtectionFailed: PGP NetShare Command-Line Failed:Could not resolve group [PGP NetShare Target Keys] [-11984] 
DLP Solutions2's picture

As an FYI to everyone, I have created a custom Flex Response plugin that works with Voltage Encryption SW. This allows you to either manually or automatically encrypt files based on DAR incidents.

The Encrypt FlexResponse plugin will perform the following:

  1. Validate that it is a DAR incident
  2. Check to make sure the file still exists
  3. Encrypt the file and leave a marker file
  4. Update Custom attributes with a new status and also update a custom attribute with the Encryption date and time

The De-Crypt/Re-Encrypt FlexResponse plugin will perform the following:

  1. Validate that it is a DAR incident
  2. Check to make sure the file still exists
  3. De-Crypt the file and delete the marker file
  4. Update Custom attributes with a new status and also update a custom attribute with the De-cryption date and time
  5. If there is a Re-Encryption account specified in a custom attribute, it will re-encrypt the file to the new owner
  6. Update Custom attributes with a new status and also update a custom attribute with the Re-encryption date and time

It has been fully tested at a few customer sites, but can also be modified to run other commands if necessary.

If inerested, please contact me on sales and support.


Please make sure to mark this as a solution

to your problem, when possible.

kishorilal1986's picture

Hi Mirza and Adanso,

Please refer above steps given by DLP solution (Ronak).

ADILT's picture

To do this intergrations requires a lot of work.

The bottom line is as of now this can only be done with Client Key Mode (CKM), Guarded Key Mode (GKM) and Server Client Key Mode (SCKM). I attempted this process for all key modes in PGP Server and only was successful with these modes.

If you would like the How to, please email me. The How to is very long and I can not post it here.

Thank you Ronak, and everyone else who helped.