Hard Disk Recommendations:
For Symantec Encryption Management Server managing Drive Encryption or File Share Encryption Only, allocate 100GBs of Hard Drive space.
For Symantec Encryption Management Server hosting the Web Email Protection service for many accounts, allocate 800GBs

Note: The disk space allocations are general guidelines that work for most customers.
More or less space may appropriate, but using the above guidelines will typically cover most scenarios

Memory Allocation Recommendations:
Client Management Only: 8GBs
Email Encryption: 16GBs Minimum
Busy Environments: 32-64GBs


1. Once you boot off of your ISO, you will see the following screen:

Press "enter" to continue on with the installation.

2. This  following screen shows up warning you that all the data on this server "will be deleted and lost forever if you proceed".

If this machine you are installing on is fine, then proceed and the installation will start:

3. The next screen will ask for the IP address for the Symantec Encryption Server:

For the subnet mask, both CIDR-notation (/24) is acceptable.

 4. You will also need to enter the Gateway and Nameserver (DNS server).

First, the Gateway IP address will be entered:

Then the DNS server. If you have multiple DNS Servers, you can enter more at a later time during the installation:

Then the Hostname (FQDN) the Symantec Encryption Management Server should use:

Then the Domain:

Symantec Corporation strongly recommends that you name your externally visible Symantec Encryption Management Server according to 
the "keys". convention if you will be using your server for email encryption.  Symantec Encryption Management Server will search "keys.*domain*" for keys by default.
This allows other Symantec Encryption Management Servers to easily find valid public keys for email recipients in your domain.

It is still fine to use any FQDN you choose to use.

Note: If you are not getting a prompt to enter the IP address, it is most likely the NIC type. 
Some versions of SEMS may not detect the version unless the proper NIC type is selected. 
Choose your preferred NIC time when creating the VM for optimal performance. 
In older installations that used 32-bit VMXnet3 would work or other NIC types such as E1000.  For SEMS 10.5, typically any NIC type will work. 

 6. Press enter to continue the installation of Symantec Encryption Management Server.  This process will take several minutes.

7. After the installation process completes, the Symantec Encryption Management Server will reboot on its own and come up with the following screen:

By default, there is no login configured for security reasons and this should not be done. 
If you feel you need to login for any reason, please reach out to Symantec Encryption Support for further guidance.

Once this screen appears, note the URL listed to connect to, and open a web browser to that location on a different machine on that same subnet.

8. When opening the Symantec Encryption Management Server webpage, you should see the welcome screen:

Click the next arrow to be presented with the End User License Agreement:

To accept, click the blue End User License Agreement and read through it to enable the I Agree button.

9. You can print a copy of the EULA from this page and once you have finished this process, the initial setup will continue:

As we have a fresh install, you can follow the default selection for the Setup Type of "New Installation".

TIP: Even if you are restoring a backup, it is recommended to choose "New Installation" and then configure a new IP Address and hostname. 
Later this IP and hostname will be overwritten with the backup, but once the installation has completed, you can take a snapshot of your clean machine.
After you have finished the web setup, you can then upload your Organization Key and then the backup to complete a restore of the backup.

For more information on backups, see the following article:
153588 - Restore Backup files to Encryption Management Server

Note for Installations for Clusters:
Even if you are joining a cluster, it is recommended to complete the installation as "New" and then take a snapshot before the join operation. 
Then you can join the cluster using the actual administration UI.  For information on joining a cluster, see the following article:

153721 - Creating a Cluster with Symantec Encryption Management Server

10. Specify the time zone for this server as well as the NTP server:

11. Again you may check your network settings and make changes here prior confirming:

12. And finally you will see the final Confirmation page.  Go back if you need to change something.
Once you click Done, the network interface will be restarted and the network details will be written to the configuration:

13. You may see this screen as well when you change network related settings in the Symantec Encryption Management Server:

As you can see in the screen above "https://keys.example.com:9000" is where the webpage will be directed to. 
If you do not have DNS properly configured, you will want to use the IP address for this screen. 

14. You are now prompted to check Enable Mail Proxies you purchased Gateway Email Encryption with Symantec Encryption Management Server:

15. Setup the Administrator account.

The password policy is fairly strict for the setup and if you do not meet the requirements, you'll get the following message:

For more information on password policies for the SEMS Administrator, see the following article:

171744 - Symantec Encryption Management Server Administrator Password Complexity

16. Enter the name of your Primary Domain. This should match the domain of the server:

NOTE: This step my come later if you enabled Enable Mail Proxy in steps prior.

17. If you are using the server for securing mails, select the placement of the server in your infrastructure.

NOTE: This will only appear if you checked Enable Mail Proxies on the the steps prior.

Refer to the Admin Guide for in-depth information. We'll continue with the default.  Enter the default domain the SEMS will manage.
Additional domains can be added later if needed under "Consumers\Managed Domains":

18. If you are going to be Provide the mail servers address for sending the mails to.

NOTE: The Primary Domain entry is combined with this step if Enable Mail Proxy is checked previously.

19. The next screen allows you to configure an Ignition Key.  Symantec recommends having an ignition key if the server is located in an unsecured location:

You can choose to set this up later if you wish to skip it initially.

20. Here we setup a soft Ignition Key with a name and password.  Make sure you always know what the passphrase to this key is.

If the server is ever rebooted, in order to fully boot the system, this passphrase must be entered:

21. Backup the Organization Key, which will sign generated Keys and encrypt your Server Backups.

Having a backup of the Organization Key is critical.  All backups are encrypted using this ignition key.  Ensure a passphrase is entered to protect the key.
In the unlikely event that the passphrase to the Ignition Key is forgotten, having access to the Organization Key and its passphrase will unlock the Ignition key.
The Keypair of the Organization Key is required for this operation:

Make sure to store this keypair and its password in a secure location. 

When restoring a backup from this server you'll need the Organization Key the Backup was encrypted to. Otherwise the Backup won't be readable.

22. And finally you will see the Confirmation Summary page.  Click Done if all the information looks correct:

 23. Again, you will see the screen for changed network settings and it should be redirecting to the Login-screen

24. Login with the credentials you entered during the setup from Step 15.

25. This is the new PGP 11 console screen. This will be useful for reporting and basic maintenance of policy and client views.

26. The server defaults to "Learn Mode", which means no emails will be encrypted by default.
The yellow hat on the top-right corner of the screen indicates the server is in Learn Mode:

27. By clicking the yellow hat you'll see this:

To disable the Learn-Mode remove the check mark and click "Save".

Note: If you are using the server for only File Share Encryption, Drive Encryption, or File Encryption, Learn mode can be left enabled.

28. This completes the installation and initial setup!

Applies To

Prerequisites:

Please check out the Release Notes, and System Requirements for additional information you should be aware of.