Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Revoking all the users’ key after a period of time.

Created: 02 Sep 2013 | 1 comment
Hima's picture

I know this must be done before and doable but I didn’t know how or what exactly should be done!

I’ve many customers –especially the ones follow any compliance policy- that required REVOKING all the PGP users’ key every year or even after 12 months. They use PGP for Drive Encryption “Whole Disk Encryption”, File & Folder Encryption and E-mail Encryption. Using SKM “Server Key Mode” for all the users

I want to know what exactly should be done to revoke those keys and generating new keys without effecting users/machines/files…etc. Also without impact the business! And what will happened for the WDE users after the key revoked, will they be able to login to the Boot-Guard screen normally? And what about the E-mail that been encrypted with the revoked key will they still be able to read them with the new key! –I guess No! - If no, how can this are solved?

Is there any limitation in this process?

Operating Systems:

Comments 1 CommentJump to latest comment

Alex_CST's picture

So you need to revoke AND issue new keys rather than just renewing?

Key recovation is not an automatic process, you would need to do that manually.  You need to change the policy to "never renew" inside consumer policy > policy name > keys > generation > key renewal

Please mark posts as solutions if they solve your problem!

http://www.cstl.com