File Share Encryption

Good afternoon,

In a scenario where we are forced to install from scratch a long time wearing SEMS working, either because it is wrong mounting procedures and identified the problem or because there is no backup or because it is identified that is working poorly with many errors, which would be the recommendation and best practice for this task ..?

I thought to avoid problems with the keys, export them all from:

Route 1: Consumers -> Users -> All Users -> Options -> Export Keys for All with the dilemma of public or keypair
Route 2: Keys -> Managed Keys -> Options -> Export All with the dilemma of public or keypair

I have no certainty which of the two routes is adequate

Then export the organization key and the ADK to install from scratch (is necessary the same version..?) then import the key organization, the ADK and finally import all the keys just do not know where is the best alternative.

The other element that concerns me is the SSL certificate, do I have to do with it ..?

and finally ... if I import the certificates would have to do a re-enrollment of the encryption desktop and desktop email ..?

Thank you very much.

You won't have to re-enroll.  If you get a new certificate (assuming all other information like IP, hostname etc is the same) then the end users will just get asked to accept the new certificate. 

In my experience I export as much as I can to be sure :)

 

Alex I greatly appreciate your help, I hope I do not abuse it.

With your response, it means that the procedure I describe is correct ..?

Could you confirm which of the two routes I describe is correct ..?

When trying to add managed keys and users notice there are the internal and external alternative. How to export does not distinguish itself are internal or external may use any and SEMS automatically will know which are which are internal and external ..?

What would happen if change IP, hostname, or both ..?

Thank you.

What features do the client machines currently use?  I.E. Whole Disk, NetShare, Messaging?

What is the Key Mode you are currently using?  This is a big factor on how you will want to proceed.

What exactly would prevent you from creating a backup of the server, exporting the Organization Key, and building a new server to restore the backup into?

An external use is basically another company whose public key you have imported, so that you dont have to store public keys locally, or have to constantly do key lookups for recipients you constnatly send encrypted email to

If you change the IP, it won't change a lot, but if you change the hostname, you will have to repoint the clients to it by changing a registry entry on the endpoints.  search for PGP_STAMP in the registry - thats the key you need to change.

Thanks Mike/Alex,

Response to Questions:

Used Whole Disk, Netshare, desktop emil, web Messenger and PGP Portable.

Is configured SKM, CKM and GKM in this path: Consumenr, Consumer Policy, Default, Keys, Edit, Management

The server works in a strange and many errors, and internal placement is identified.

Regards.

 

 

Is it actually utilised properly in an internal placement?  An internal placement is quite an unusual configuration.

Alex,

Precisely identify that this may be the cause for the problems, and was installed years ago and that does not work properly.

I cannot identify where your issues are.  What errors are you getting?

Hi Alex, For example this errors: Whwn i try to open in the last keys pages "An Error Has Ocurred: An unexpected error has ocurred. Please click de logs for detail" Other error in the Backups Page: "Restore Failed: The last restore failed. Please check the logs for details" but has not been attempted a restoration. Another mistake is that the mail is not encrypted automatically, among others...

Even though you are getting some strange errors, the database is probably not the issue.  It looks like the issues are more related to the information processing than to anything in the database being corrupt.

I would recommend taking a full backup of the server if possible, and exporting the Organization Key.

Then create a new server, import the Organization key, and restore the backup into the new server.

http://www.symantec.com/docs/HOWTO42032 contains the steps to complete this process.

Thanks Mike,

As I have not much experience I have a question: Should I install the new server with the same current version ..? Should I keep the same IP and FQDN ..?

Regards.

It would be best to use the newest version for the new server, which is currently version 3.3.1.  If the current server is version 2.X, let me know, and it is probably best not to proceed just yet.  Servers that old sometimes require a bit more fiddling with than the newer versions.

As far as the FQDN and IP information, that will be loaded into the new server with the backup.

Is the current server running in VMware, or is it on hardware?  Which will the new server be running on?

Mike,

The server is hardware and the version is 3.2.0 MP3 (Build 2317)

Thanks.

Hi there,

I would like to add something into this thread why might help you. Below you will find the KB article and it is about the step by step installation guide for the Symantec Encryption Management Server (formerly known as PGP Universal Server).

http://www.symantec.com/docs/TECH197003

All the best.

Regards,

bipshr

 

Version 3.2.0 mp3 should be a straight-forward restore into a new 3.3.1 server.

Since the server is on hardware currently, I would suggest checking the specs against our supported hardware list.  Note that this list is all of the systems we have passed through QA, but does not necessarily exclude all other hardware.  We simply cannot test on every configuration.

http://www.symantec.com/docs/TECH149007 is the certified list.

There are two basic ways that you can perform a restore.  You can either follow the steps from the document bipshr listed above, then import the Organization Key, import the backup, and click on Restore on the backups page, or you can perform a Restore installation.  It would be the same steps from the article until step 10, at which point, if you select Restore and click Next, it should prompt you for the backup and the Organization Key.

Hi Mike,

What happens if only restored the Organization Key ..?

Thanks.

 

Hi rojopipe,

Could you please elaborate on that?

If you restore only the Organization Key, you won't have anything else in the server apart from this key.
You first need to import the Organization Key to be able to import the backup.

 

Rgs,
dcats

Hi Dcats,

There is definitely something in the SEMS is malfunctioning. We want to start from scratch with a gateway deployment mode (the current installation mode is internal and should not be so) but not restore the backup. We assume that the restoration will bring errors.

What happens to stored keys (no policies configured CKM and GKM) plus external Web Messenger users ..?

In short, the idea is to change internal mode to gateway mode around trying to avoid more frustration possible.

Any ideas will be valuable

Thanks

 

Export the keys, then import them back again once installation is finished

Hi Alex_CST,

Appreciate the collaboration, I have not done this procedure. Perhaps this is why I ask is too obvious.

In summary, the procedure would be:
 

1. Install SEMS from scratch in gateway placement
2. Restore Organization Key
3. Import ADK
4. Import keys (Previously exported from keys -> Managed keys)

That´s correct..?

Thank you very much.