Video Screencast Help

GKM and silent enrolment

Created: 24 Oct 2011 | 7 comments
przemek's picture


I'm wonder it is normal behavior or I doing something wrong?

I deploy PGP Desktop 10.2.0 MP1. US is version 3.2.0 MP1 (Build 1950) and synchronization with AD.

On US in policy  I set up KEY\MANAGMENT as GKM. But when in DESKTOP\GENERAL check enable silent enrollment  it is still generate SKM despite of I choose GKM.

But when I uncheck enable silent enrollment generate GKM but deploy it isn’t silent.

It is possible choose GKM and silent enrolment ?

Comments 7 CommentsJump to latest comment

Julian_M's picture

As the Universal Administrator 3.2 guide states:

Enrollment with SKM is completely silent.
Using smart cards means that enrollment is not completely silent. Users are prompted to enter their smart card PINs during enrollment.

So you can silent enroll using GKM

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.

przemek's picture

could you tell how to do ?

Because I haven't idea . It easy option only checkbox general\enable silent enrolment.

When I turn on this option and despite of I choose only GKM in key key is generate SKM. WHen i turn off this option key is GKM but isn't silent. in kkk

Julian_M's picture

Go to universal, consumers policy, select policy, keys. ....there you configure key modes GKM.

Then Desktop.. I think it is in the general tab,  enable Silent enrollment

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.

przemek's picture

I had done  it before wrote first post.

General when set key SKM and silent work OK but when GKM and silent I can't generate GKM cert but stil SKM.

PGP_Ben's picture

If I understand you correctly. You are saying that you ONLY have GKM mode enabled under Consumers ---> Consumers --> Default (or other policy if you are not using default) --> Keys --> Management and then you are enabling "Silent Enrollment" under Consumers ---> Consumer Policy ---> Default ---> Desktop where it says "enable silent enrollment".

But with this option enabled it never generates a key for the user? The first issue that you described in the initial comments says that it generates the key, but SKM instead of GKM (which would imply that you may have both options enabled under key modes which is causing that). But your last comment makes it sound like it only GENERATES a key under SKM key mode.


I would make sure that SKM key mode is turned off, if you dont want to generate SKM keys. Only have GKM key mode checked.  If its failing to generate key after enrolling even with GKM key mode enabled, I would check the PGP Desktop client logs and PGP universal server client logs as well to see if there are any errors indicating what the problem is.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

przemek's picture

I enable only GKM key.

But when I set up \group\permision \ can modify openpgp key of all managed keys

User has GKM mode key!!!.