Video Screencast Help

Symantec PGP desktop email encryption

Created: 13 Sep 2013 | 4 comments


can symantec pgp email encryption protect the users against the mail system administrators?

for example: a user a sending an email to another user and the mail system administrator has setup a rule to BCC all the mails to his mailbox, will the administrator be able to view and decrypt the mail?

I am not familiar with the product but i think the admin will be able to decrypt and read the mail normally.


Operating Systems:

Comments 4 CommentsJump to latest comment

Tom Mc's picture

If you are in a PGP Universal managed setting, this is determined by the system admin.  However, if you are just using PGP Desktop, both incoming decryption and outgoing encryption are handled at the desktop user level and the admin will only be able to read the encrypted mails if they are stored decrypted in your mailbox, and if the admin has access to your mailbox. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Shadow Worker's picture


thanks for the reply.

let's take the following example, I am an exchnage user and I have selected to send an encrypted (outlook plugin) email to and the exchange administrator has defined a rule to forward all the emails to his mailbox, therefore the administrator will receive a copy of the encrypted email, is that correct?

so the problem, will he be able to decrypt and read the mail or not?

in my opinion all my mails are encrypted using the same key, in addition the pgp client will contact the universal server which will provide him with the key to decrypt it? or i am wrong?

Japke's picture

The e-mail is encrypted against the key of the recipient, and if configure perhaps also to your key (and possibly an ADK in place in a consumer policy in your environment). If the mail is encrypted on your desktop to only the recipient public key, to decrypt this message you will need the private key of the recipient. Which likely you nor the administrators of your company possess.

But if the message is also encrypted to your key (as the sender) or a configured ADK in the policies, if the admin has access to the private key of one of these, he will be able to decrypt the message you are sending (which has been copied to the shadow mailbox as you explained).

In case of your key using a SKM or SCKM mode, the administrator of the encryption server will have access to your private key (as in physical access - it can still be forbidden in a company security policy to actually access these). If your key is using a GKM or CKM mode, the key is protected by a passphrase only you should know, thus the administrator should not be able to access your private key (unless he guesses your passphrase on the key).

Also, as our guidelines advice, the ADK is an extremely important key. And not a single person should be allowed to have access to it. We advice to split the key so that you will need several people to recreate the ADK from the split parts in case it is needed in your organization to decrypt data. This is described in the article below.

Additional Decryption Key (ADK) Guidelines

I am no longer a Symantec employee.

Shadow Worker's picture

finally and after some research i got the idea.

indeed this will prevent the exchange administrators from viewing the mail even if they forward it to another or their mailbox.