Endpoint Encryption

 View Only

  • 1.  PGP CLI with KMS not working

    Posted Aug 12, 2013 04:21 AM

    Hello All,

    This is my first attempt to use the PGP CLI tool with KMS, my intention is to encrypt a file with a key on the KMS.
    When I try to execute the encrypt command with the key, I get back a key not found error, so I tried a listing of keys.


    What I see that there is no communication with the KMS at all [I did a network trace also].
    I am communicating with KMS with a IP address , do I have to provide a port number. How do I do that?
    Please can you guys tell me what am I missing?

    The keylistings below always gives me back local keys and never the keys on the KMS.

    pgp --usp-server <IP Address> --list-keys --verbose
    pgp:list keys (3157:current local time 2013-08-06T16:20:41+02:00)
    D:\PGP\pubring.pkr:open keyrings (1006:public keyring)
    D:\PGP\secring.skr:open keyrings (1007:private keyring)
    Alg  Type Size/Type Flags   Key ID     User ID
    ----- ---- --------- ------- ---------- -------
    *RSA4 pair 2048/2048 [VI---] 0x2B052AB5 localkeyid
    1 key found

    pgp --usp-server <IP Address> --auth-username <username> --auth-passphrase "<passphrase>" --list-keys --verbose
    pgp:list keys (3157:current local time 2013-08-06T16:37:10+02:00)
    D:\PGP\pubring.pkr:open keyrings (1006:public keyring)
    D:\PGP\secring.skr:open keyrings (1007:private keyring)
    Alg  Type Size/Type Flags   Key ID     User ID
    ----- ---- --------- ------- ---------- -------
    *RSA4 pair 2048/2048 [VI---] 0x2B052AB5 localkeyid
    1 key found
     

     



  • 2.  RE: PGP CLI with KMS not working

    Broadcom Employee
    Posted Oct 15, 2013 05:39 AM

    As per documentation (http://www.symantec.com/docs/DOC6232 )

    --usp-server is provided. --recipient specifies the UUID of the recipient's MAK or MEK, or the recipient's user ID, portion of the user ID, or the key ID. PGP Command Line searches the server for the recipient key. An error results if PGP Command Line can match the identifier to multiple MAKs or MEKs on the PGP KMS server.

    The --search-mak command searches a PGP KMS for a MAK.

    The usage format is:

    pgp --search-mak <search-string> --usp-server <KMSserver> -details | --xml | --brief

    Where: • --search-mak is the command to search MAKs on the specified PGP KMS.

    So your pgp command line should have --search-mak otherwise keys are searched locally.

    pgp --usp-server <IP Address> --auth-username <username> --auth-passphrase "<passphrase>" --search-mak <search-string>

    (page 254 -  shows search strings options)

    (page 61 of the documentation shows the encrypt command)

    Encrypt to recipients with keys on a PGP KMS server

    pgp --encrypt report.txt README.rtf -r "Bill Brown" --uspserver universal.example.com --auth-username acameron --authpassphrase "cam3r0n" -v

    Can you modify your sytanx and post the feedback