Video Screencast Help

PGP Universal & ADK Help Required

Created: 29 Aug 2011 | 6 comments

I am currently running a PGP Universal server  2.12.0. Recently added an ADK to the organization keys. All our internal users are Blackberry users. New keys have been added since the ADK has been imported to the PGPU. These new keys are not being signed by the ADK. Is it possible that blackberry users do not fall under the influence of the ADK? 

I would like to add that mail stream is disabled in our PGPU since we only have Blackberry users. If someone has any insight as to why the ADK is being bypassed please let me know.



Comments 6 CommentsJump to latest comment

CB4's picture

To clarify, are you referring to the Org. key or ADK?

From the Admin guide.............

Organization Key. Used to sign all user keys the PGP Universal Server creates and to encrypt server backups.

Additional Decryption Key (ADK). Used to reconstruct messages if the recipient is unable or unwilling to do so. Every message encrypted to an external recipient by an internal user is also encrypted to the ADK, allowing the PGP Universal Server administrator to decrypt any message sent by internal users, if required to do so by regulations or security policy.

rickpgp's picture

I am refering to the ADK.

All my users are blackberry internal users. Messages being sent from Blackberry to Blackberry are not encrypting to the ADK.

Once the ADK was added it should be forced into mail policy sign and encrypt. for some reason it is not. I am hoping someone else has some experience

with this.


mwoj's picture

Does your PGP Key have the new ADK ID added on PGP Desktop (after updating the policy)?

If so, try to send your keypair by email from PGP Desktop to your device (sending yourself an email) and import them again.

It might that Blackberry does not have synced this additional ADK ID.

If this is not working as well, you might need to reenroll your Blackberry against your BES /Universal Server.

rickpgp's picture

None of our users use desktop. All email is blackberry to blackberry. I was under the impression that the ADK would publicly sign every message to any user added after it was imported. All new users would have to enroll after anyway.
When we take a email message from a test account it asks for the private key passphrase of both test users, but never gives the option to use the ADK to decrypt.

CB4's picture

You can set the action of the ADK, if created, through the Default Consumer Policy - assuming Universal 3.x. Have you imported the ADK in the General tab? I believe Blackberry's use the Default policy.

rickpgp's picture

Server is 2.12. The ADK was added under Organization Tab, Organization Keys. I think it might be policy related. Would you know what policy to add when dealing with Blackberry users passing thru and and being signed by ADK?

From what I can see, when the ADK is added, the ADK policy is mandatory and cannot be adjusted.