Symantec Encryption Management Server

Symantec Encryption Management Server Administrator's Guide 3.3

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version 3.3.0. Last updated: January 2013. Legal Notice Copyright (c) 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 Symantec Home Page (http://www.symantec.com) Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Contents Introduction What is Symantec Encryption Management Server? Symantec Encryption Management Server Product Family Who Should Read This Guide Common Criteria Environments Improvements in this Version of Symantec Encryption Management Server Using the Symantec Encryption Management Server with the Command Line Symbols Getting Assistance Getting product information Technical Support Contacting Technical Support Licensing and registration Customer service Support agreement resources The Big Picture Important Terms Related Products Symantec Encryption Management Server Concepts Symantec Encryption Management Server Features Symantec Encryption Management Server User Types Installation Overview About Integration with Symantec Protection Center Before You Integrate with Protection Center About Open Ports TCP Ports UDP Ports About Naming your Symantec Encryption Management Server How to Name Your Symantec Encryption Management Server Naming Methods Understanding the Administrative Interface System Requirements Logging In The System Overview Page Managing Alerts Logging In For the First Time 1 1 2 2 2 3 4 5 5 5 6 6 7 7 7 9 9 9 11 11 13 14 19 19 21 21 22 25 25 26 27 27 27 28 29 30

ii Contents Licensing Your Software Overview Licensing a Symantec Encryption Management Server License Authorization Licensing the Mail Proxy Feature Licensing Symantec Encryption Desktop Operating in Learn Mode Purpose of Learn Mode Checking the Logs Managing Learn Mode Managed Domains About Managed Domains Adding Managed Domains Deleting Managed Domains Understanding Keys Choosing a Key Mode For Key Management Changing Key Modes How Symantec Encryption Management Server Uses Certificate Revocation Lists Key Reconstruction Blocks Managed Key Permissions Managing Organization Keys About Organization Keys Organization Key Inspecting the Organization Key Regenerating the Organization Key Importing an Organization Key Organization Certificate Inspecting the Organization Certificate Exporting the Organization Certificate Deleting the Organization Certificate Generating the Organization Certificate Importing the Organization Certificate Renewing the Organization Certificate Additional Decryption Key (ADK) Importing the ADK Inspecting the ADK Deleting the ADK External User Root Key Generating the External User Root Key Importing the External User Root Key Deleting the External User Root Key 31 31 31 31 32 32 33 33 34 34 35 35 36 36 37 37 39 40 41 41 43 43 43 44 44 45 46 46 47 47 47 48 48 49 50 50 50 51 51 51 52

Contents iii External User Root Certificate Generating the External User Root Certificate Importing the External User Root Certificate Deleting the External User Root Certificate Verified Directory Key Importing the Verified Directory Key Inspecting the Verified Directory Key Deleting the Verified Directory Key Administering Managed Keys Viewing Managed Keys Managed Key Information Email Addresses Subkeys Certificates Permissions Attributes Symmetric Key Series Symmetric Keys Custom Data Objects Exporting Consumer Keys Exporting the Managed Key of an Internal User Exporting the Managed Key of an External User Exporting Symantec Encryption Verified Directory User Keys Exporting the Managed Key of a Managed Device Deleting Consumer Keys Deleting the Managed Key of an Internal User Deleting the Managed Key of an External User Deleting the Key of a Symantec Encryption Verified Directory User Deleting the Managed Key of a Managed Device Approving Pending Keys Revoking Managed Keys Managing Trusted Keys and Certificates Overview Trusted Keys Trusted Certificates Adding a Trusted Key or Certificate Inspecting and Changing Trusted Key Properties Deleting Trusted Keys and Certificates Searching for Trusted Keys and Certificates 52 52 53 53 54 54 54 55 57 58 58 60 61 61 61 62 62 64 65 66 66 67 67 68 68 68 69 69 69 70 71 73 73 73 73 74 74 75 75 Managing Group Keys 77 Overview Establishing Default Group Key Settings Adding a Group Key to an Existing Group Creating a New Group with a Group Key Removing a Group Key from a Group Deleting a Group Key 77 77 78 78 79 79

iv Contents Revoking a Group Key Exporting a Group Key Setting Mail Policy Overview How Policy Chains Work Mail Policy and Dictionaries Mail Policy and Key Searches Mail Policy and Cached Keys Understanding the Pre-Installed Policy Chains How Upgrading and Updating Affect Mail Policy Settings Mail Policy Outside the Mailflow Using the Rule Interface The Conditions Card The Actions Card Building Valid Chains and Rules Using Valid Processing Order Creating Valid Groups Creating a Valid Rule Managing Policy Chains Mail Policy Best Practices Restoring Mail Policy to Default Settings Adding Policy Chains Deleting Policy Chains Exporting Policy Chains Printing Policy Chains Managing Rules Adding Rules to Policy Chains Deleting Rules from Policy Chains Enabling and Disabling Rules Changing the Processing Order of the Rules Adding Key Searches Choosing Condition Statements, Conditions, and Actions Condition Statements Conditions Actions Working with Common Access Cards Applying Key Not Found Settings to External Users Overview Bounce the Message Symantec PDF Email Protection Symantec PDF Email Protection Secure Reply Working with Passphrases Certified Delivery with Symantec PDF Email Protection Send Unencrypted Smart Trailer Symantec Encryption Web Email Protection Changing Policy Settings Changing User Delivery Method Preference 80 80 81 81 82 82 83 83 84 85 86 86 87 88 89 89 90 91 92 92 92 92 93 94 94 94 95 95 96 96 96 97 97 97 102 115 117 117 117 118 118 119 119 120 120 122 123 123

Contents v Using Dictionaries with Policy 125 Overview Default Dictionaries Editing Default Dictionaries User-Defined Dictionaries Adding a User-Defined Dictionary Editing a User-Defined Dictionary Deleting a Dictionary Exporting a Dictionary Searching the Dictionaries Keyservers, SMTP Archive Servers, and Mail Policy Overview Keyservers Adding or Editing a Keyserver Deleting a Keyserver SMTP Servers Adding or Editing an Archive Server Deleting an Archive Server Managing Keys in the Key Cache Overview Changing Cached Key Timeout Purging Keys from the Cache Trusting Cached Keys Viewing Cached Keys Searching the Key Cache Configuring Mail Proxies Overview Symantec Encryption Management Server and Mail Proxies Mail Proxies in an Internal Placement Mail Proxies in a Gateway Placement Changes in Proxy Settings from version 2.0 to 2.5 and later Mail Proxies Page Creating New or Editing Existing Proxies Creating or Editing a POP/IMAP Proxy Creating or Editing an Outbound SMTP Proxy Creating or Editing an Inbound SMTP Proxy Creating or Editing a Unified SMTP Proxy 125 126 127 128 128 129 130 130 130 133 133 133 134 136 136 136 137 139 139 139 140 140 140 141 143 143 143 144 145 146 147 147 147 149 151 152 Email in the Mail Queue 157 Overview Deleting Messages from the Mail Queue 157 157

vi Contents Specifying Mail Routes Overview Managing Mail Routes Adding a Mail Route Editing a Mail Route Deleting a Mail Route Customizing System Message Templates Overview Templates and Message Size Symantec PDF Email Protection Templates Symantec Encryption Web Email Protection Templates Editing a Message Template Integrating with Symantec Data Loss Prevention Enabling Integration with DLP Disabling Integration with DLP Changing the DLP Integration Authentication Information Managing Groups Understanding Groups Sorting Consumers into Groups Everyone Group Excluded Group Policy Group Order Migrate Groups from Version 2.12 SP4 Setting Policy Group Order Creating a New Group Deleting a Group Viewing Group Members Manually Adding Group Members Manually Removing Members from a Group Group Permissions Adding Group Permissions Deleting Group Permissions Setting Group Membership Searching Groups Creating Group Client Installations How Group Policy is Assigned to Symantec Encryption Desktop Installers When to Bind a Client Installation Creating Symantec Encryption Desktop Installers Managing Devices Managed Devices Adding and Deleting Managed Devices 159 159 160 160 160 161 163 163 164 164 165 165 167 167 167 168 169 169 169 170 170 170 171 171 171 172 172 172 173 174 174 174 175 176 177 177 178 179 183 184 184

Contents vii Adding Managed Devices to Groups Managed Device Information Deleting Devices from Symantec Encryption Management Server Deleting Managed Devices from Groups Drive Encryption Devices (Computers and Disks) Drive Encryption Computers Drive Encryption Disks Searching for Devices 185 186 189 190 191 191 193 194 Administering Consumer Policy 197 Understanding Consumer Policy 197 Managing Consumer Policies 197 Adding a Consumer Policy 197 Editing a Consumer Policy 198 Deleting a Consumer Policy 199 Making Sure Users Create Strong Passphrases 199 Understanding Entropy 200 Enabling or Disabling Encrypted Email 200 Using the Windows Preinstallation Environment 201 X.509 Certificate Management in Lotus Notes Environments 201 Trusting Certificates Created by Symantec Encryption Management Server 202 Setting the Lotus Notes Key Settings in Symantec Encryption Management Server 204 Technical Deployment Information 204 Offline Policy 205 Using a Policy ADK 206 Out of Mail Stream Support 207 Enrolling Users through Silent Enrollment 208 Silent Enrollment with Windows 209 Silent Enrollment with Mac OS X 209 Symantec Drive Encryption Administration 209 Symantec Drive Encryption on Mac OS X with FileVault 209 How Does Single Sign-On Work? 210 Enabling Single Sign-On 210 Managing Clients Remotely Using a Symantec Drive Encryption Administrator Active Directory Group 212 Managing Clients Locally Using the Symantec Drive Encryption Administrator Key 213 Setting Policy for Clients 215 Client and Symantec Encryption Management Server Version Compatibility 215 Serving PGP Admin 8 Preferences 216 Establishing Symantec Encryption Desktop Settings for Your Symantec Encryption Desktop Clients217 Symantec Encryption Desktop Feature License Settings 218 Enabling Symantec Encryption Desktop Client Features in Consumer Policies 219 Controlling Symantec Encryption Desktop Components 220 PGP Portable 221 Symantec File Share Encryption 221 How the Symantec File Share Encryption Policy Settings Work Together 221 Multi-user environments and managing Symantec File Share Encryption 222 Backing Up Symantec File Share Encryption-Protected Files 223 About Mobile Encryption 223 About Administration of the Symantec Mobile Encryption for ios App 224

viii Contents About Symantec Mobile Encryption for ios Configuration Files Setting Policy for Symantec Mobile Encryption About Dropbox File Protection About Administration of the Symantec File Share Encryption for ios App Using Directory Synchronization to Manage Consumers How Symantec Encryption Management Server Uses Directory Synchronization Base DN and Bind DN Consumer Matching Rules Understanding User Enrollment Methods Before Creating a Client Installer Email Enrollment Directory Enrollment Certificate Enrollment Enabling Directory Synchronization Adding or Editing an LDAP Directory The LDAP Servers Tab The Base Distinguished Name Tab The Consumer Matching Rules Tab Testing the LDAP Connection Using Sample Records to Configure LDAP Settings Deleting an LDAP Directory Setting LDAP Directory Order Directory Synchronization Settings Managing User Accounts Understanding User Account Types Viewing User Accounts User Management Tasks Setting User Authentication Editing User Attributes Adding Users to Groups Editing User Permissions Deleting Users Searching for Users Viewing User Log Entries Changing Display Names and Usernames Exporting a User s X.509 Certificate Revoking a User's X.509 Certificate Managing User Keys Managing Internal User Accounts Importing Internal User Keys Manually Creating New Internal User Accounts Exporting Symantec Drive Encryption Login Failure Data Internal User Settings Managing External User Accounts Importing External Users Exporting Delivery Receipts External User Settings Offering X.509 Certificates to External Users Managing Verified Directory User Accounts 225 226 227 228 231 231 232 233 234 235 235 237 239 240 241 242 243 243 243 244 244 244 245 247 247 247 247 247 248 248 249 249 249 250 250 251 251 252 252 253 253 254 254 258 258 259 260 261 263

Contents ix Importing Verified Directory Users Symantec Encryption Verified Directory User Settings Recovering Encrypted Data in an Enterprise Environment Using Key Reconstruction Recovering Encryption Key Material without Key Reconstruction Encryption Key Recovery of CKM Keys Encryption Key Recovery of GKM Keys Encryption Key Recovery of SCKM Keys Encryption Key Recovery of SKM Keys Using an Additional Decryption Key for Data Recovery Symantec Encryption Satellite Overview Technical Information Distributing the Symantec Encryption Satellite Software Configuration Key Mode Symantec Encryption Satellite Configurations Switching Key Modes Policy and Key or Certificate Retrieval Retrieving Lost Policies Retrieving Lost Keys or Certificates Symantec Encryption Satellite for Mac OS X Overview System Requirements Obtaining the Installer Installation Updates Files Symantec Encryption Satellite for Windows Overview System Requirements Obtaining the Installer Installation Updates Files MAPI Support External MAPI Configuration Lotus Notes Support External Lotus Notes Configuration 263 264 265 265 266 266 266 266 267 268 269 269 270 270 270 270 271 274 274 274 275 277 277 277 277 278 278 278 281 281 281 281 282 283 283 283 283 284 284 Configuring Symantec Encryption Web Email Protection 287 Overview 287

x Contents Symantec Encryption Web Email Protection and Clustering External Authentication Customizing Symantec Encryption Web Email Protection Adding a New Template Troubleshooting Customization Changing the Active Template Deleting a Template Editing a Template Downloading Template Files Restoring to Factory Defaults Configuring the Symantec Encryption Web Email Protection Service Starting and Stopping Symantec Encryption Web Email Protection Selecting the Symantec Encryption Web Email Protection Network Interface Setting Up External Authentication Creating Settings for Symantec Encryption Web Email Protection User Accounts Setting Message Replication in a Cluster Configuring the Integrated Keyserver Overview Starting and Stopping the Keyserver Service Configuring the Keyserver Service Configuring the Symantec Encryption Verified Directory Overview Starting and Stopping the Symantec Encryption Verified Directory Configuring the Symantec Encryption Verified Directory Managing the Certificate Revocation List Service Overview Starting and Stopping the CRL Service Editing CRL Service Settings Configuring Universal Services Protocol Starting and Stopping USP Adding USP Interfaces System Graphs Overview CPU Usage Message Activity Whole Disk Encryption System Logs Overview Filtering the Log View 288 288 290 290 295 297 298 298 298 298 299 299 300 301 302 303 305 305 305 305 307 307 308 308 311 311 311 312 313 313 313 315 315 315 315 316 317 317 318

Contents xi Searching the Log Files Exporting a Log File Enabling External Logging Configuring SNMP Monitoring Overview Starting and Stopping SNMP Monitoring Configuring the SNMP Service Downloading the Custom MIB File 318 319 319 321 321 322 322 323 Viewing Server and License Settings and Shutting Down Services 325 Overview 325 Server Information 325 Setting the Time 326 Licensing a Symantec Encryption Management Server 326 Downloading the Release Notes 327 Shutting Down and Restarting the Symantec Encryption Management Server Software Services327 Shutting Down and Restarting the Symantec Encryption Management Server Hardware 328 Managing Administrator Accounts Overview Administrator Roles Administrator Authentication Creating a New Administrator Importing SSH v2 Keys Deleting Administrators Inspecting and Changing the Settings of an Administrator Configuring RSA SecurID Authentication Resetting SecurID PINs Daily Status Email Protecting Symantec Encryption Management Server with Ignition Keys Overview Ignition Keys and Clustering Preparing Hardware Tokens to be Ignition Keys Configuring a Hardware Token Ignition Key Configuring a Soft-Ignition Passphrase Ignition Key Deleting Ignition Keys 329 329 329 331 332 332 333 334 334 336 336 339 339 340 340 342 342 343 Backing Up and Restoring System and User Data 345 Overview Creating Backups Scheduling Backups Performing On-Demand Backups Configuring the Backup Location Restoring From a Backup 345 345 346 346 346 347

xii Contents Restoring On-Demand Restoring Configuration Restoring from a Different Version Updating Symantec Encryption Management Server Software Overview Inspecting Update Packages Setting Network Interfaces Understanding the Network Settings Changing Interface Settings Adding Interface Settings Deleting Interface Settings Editing Global Network Settings Assigning a Certificate Working with Certificates Importing an Existing Certificate Generating a Certificate Signing Request (CSR) Adding a Pending Certificate Inspecting a Certificate Exporting a Certificate Deleting a Certificate Clustering your Symantec Encryption Management Servers Overview Cluster Status Creating a Cluster Deleting Cluster Members Clustering and Symantec Encryption Web Email Protection Managing Settings for Cluster Members Changing Network Settings in Clusters About Clustering Diagnostics Monitoring Data Replication in a Cluster Index 348 348 349 351 351 352 353 353 354 354 354 355 355 355 356 356 357 358 358 358 359 359 360 361 363 364 364 365 366 367 369

1 Introduction This Administrator s Guide describes both the Symantec Encryption Management Server and Client software. It tells you how to get them up and running on your network, how to configure them, and how to maintain them. This section provides a high-level overview of Symantec Encryption Management Server. What is Symantec Encryption Management Server? Symantec Encryption Management Server is a console that manages the applications that provide email, disk, and network file encryption. Symantec Encryption Management Server with Symantec Gateway Email Encryption provides secure messaging by transparently protecting your enterprise messages with little or no user interaction. The Symantec Encryption Management Server replaces PGP Keyserver with a built-in keyserver, and PGP Admin with Symantec Encryption Desktop configuration and deployment capabilities. Symantec Encryption Management Server also does the following: Automatically creates and maintains a Self-Managing Security Architecture (SMSA) by monitoring authenticated users and their email traffic. Allows you to send protected messages to addresses that are not part of the SMSA. Automatically encrypts, decrypts, signs, and verifies messages. Provides strong security through policies you control. Symantec Encryption Satellite, a client-side feature of Symantec Encryption Management Server, does the following: Extends security for email messages to the computer of the email user. Allows external users to become part of the SMSA. If allowed by an administrator, gives end users the option to create and manage their keys on their computers. Symantec Encryption Desktop, a client product, is created and managed through Symantec Encryption Management Server policy and does the following: Creates PGP keypairs. Manages user keypairs. Stores the public keys of others. Encrypts user email and instant messaging (IM). Encrypts entire, or partial, hard drives. Enables secure file sharing with others over a network.

2 Introduction Symantec Encryption Management Server Product Family Symantec Encryption Management Server Product Family Symantec Encryption Management Server functions as a management console for a variety of encryption solutions. You can purchase any of the Symantec Encryption Desktop applications or bundles and use Symantec Encryption Management Server to create and manage client installations. You can also purchase a license that enables Symantec Gateway Email Encryption to encrypt email in the mailstream. The Symantec Encryption Management Server can manage any combination of the following Symantec encryption applications: Symantec Gateway Email Encryption provides automatic email encryption in the gateway, based on centralized mail policy. This product requires administration by the Symantec Encryption Management Server. Symantec Desktop Email provides encryption at the desktop for mail, files, and AOL Instant Messenger traffic. This product can be managed by the Symantec Encryption Management Server. Symantec Drive Encryption provides encryption at the desktop for an entire disk. This product can be managed by the Symantec Encryption Management Server. Symantec File Share Encryption provides transparent file encryption and sharing among desktops. This product can be managed by the Symantec Encryption Management Server. Who Should Read This Guide This Administrator s Guide is for the person or persons who implement and maintain your organization s Symantec Encryption Management Server environment. These are the Symantec Encryption Management Server administrators. This guide is also intended for anyone else who wants to learn about how Symantec Encryption Management Server works. Common Criteria Environments To be Common Criteria compliant, see the best practices in PGP Universal Server 2.9 Common Criteria Supplemental. These best practices supersede recommendations made elsewhere in this and other documentation.

Introduction Improvements in this Version of Symantec Encryption Management Server 3 Improvements in this Version of Symantec Encryption Management Server Symantec Encryption Management Server 3.3.0 introduces the following new and improved features: Symantec identity branding The PGP product line has been renamed. For a detailed map of old product names to new ones, refer to the Symantec Knowledgebase article TECH197084 (http://www.symantec.com/docs/tech197084). Integration with Symantec File Share Encryption and Dropbox on Apple ios devices The integration of Symantec File Share Encryption, formerly known as PGP NetShare, with Dropbox brings protection to files copied from a Dropbox Windows client to cloud-based storage. You can then view these encrypted Dropbox files on your ios device. This integration allows protected files to move among Dropbox locations, to be read, edited, and saved by you or a collaborative group. Files and folders are encrypted or decrypted transparently, as needed. Gateway Email Integration with Symantec Data Loss Prevention Symantec Gateway Email, previously known as PGP Universal Gateway Email, has deepened its integration with Symantec Data Loss Prevention and Symantec Messaging Gateway powered by Brightmail. Symantec Messaging Gateway sends outbound email to Data Loss Prevention, which scans the email, flags the message for security violations or sensitivity. The flagged email gets routed to GWE to process corresponding security remediation through mail policy. Symantec Gateway Email then sends encryption remediation status confirmation back to Data Loss Prevention. Audit information is centrally located in Data Loss Prevention Enforce. This status synchronization leverages Data Loss Prevention s new Incident Remediation API (IRA). This new feature is called Email Encryption Connect in DLP Enforce. Next generation of mobile email management PGP Viewer, which has been renamed to Symantec Mobile Encryption for ios, now expands the ability beyond viewing to securely reply to encrypted messages or initiate new secure messages, with or without attachments. Mobile Encryption for ios integrates with Microsoft Exchange Mobile Address List for access to your email contacts. PGP Viewer 1.0 users can automatically update to Mobile Encryption for ios version 2.0. This product requires the mobile management policy provided in Symantec Encryption Management Server 3.3. Expanded Platform Compatibility for Symantec Web Email Protection Email sent using the Symantec Web Email Protection feature, formerly known as PGP Web Messenger, can now be viewed using a browser on most ios and Android mobile devices Expanded Platform Compatibility for Symantec PDF Email Protection Email sent using the Symantec PDF Email Protection feature, formerly PGP PDF Messenger, can now be viewed using a browser on most ios and Android mobile devices. Compatibility with VMware ESXi 5

4 Introduction Using the Symantec Encryption Management Server with the Command Line This release provides installation of Symantec Encryption Management Server, formerly known as PGP Universal Server, on VMware ESX virtual machines running ESXi 5. Compatibility with New Linux Packages This release supports installation of Symantec Drive Encryption for Linux, formerly known as PGP Whole Disk Encryption for Linux, on Red Hat Enterprise Linux/CentOS 6.1 and 6.2 (32-bit and 64-bit versions). Compatibility with Apple Mac OS X 10.8 This release supports installation of Symantec Desktop Encryption, formerly known as PGP Desktop, on systems running Mac OS X 10.8 (Mountain Lion). Win PE 64-bit Support Symantec Drive Encryption, formerly known as PGP Whole Disk Encryption, now provides WinPE recovery for both 32-bit and 64-bit Windows 7 environments. Removal of the PGP Remote Disable and Destroy Feature Symantec Corporation has discontinued the PGP Remote Disable and Destroy (RDD) feature, including its policy management and reporting functionalities. However, the feature is retained for customers who have an existing subscription entitlement until their current subscription period expires. For information on how to disable PGP RDD, go to the Symantec Knowledgebase (http://www.symantec.com/business/support/index?page=home) and search for article ID HOWTO79556, "HOW TO: Remove PGP Remote Disable and Destroy (PGP RDD)". Using the Symantec Encryption Management Server with the Command Line You can use the Symantec Encryption Management Server command line for read-only access to, for example, view settings, services, logs, processes, disk space, query the database, and so on. Note: If you modify your configuration using the command line, and you do not follow these procedures, your Symantec Support agreement is void. Changes to the Symantec Encryption Management Server using command line must be: Authorized in writing by Symantec Support. Implemented by Symantec's partner, reseller, or internal employee who is certified in Symantec Encryption Management Server Advanced Administration and Deployment Training. Summarized and documented in a text file in /var/lib/ovid/customization on the Symantec Encryption Management Server. Changes made through the command line may not persist through reboots and may become incompatible in a future release. When troubleshooting new issues, Symantec Support can require you to revert custom configurations on the Symantec Encryption Management Server to a default state.

Introduction Symbols 5 Symbols Notes, Cautions, and Warnings are used in the following ways. Note: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You can use the product better if you read the Notes. Caution: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems can occur unless precautions are taken. Pay attention to Cautions. Warning: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems will occur unless you take the appropriate action. Please take Warnings very seriously. Getting Assistance For additional resources, see these sections. Getting product information The following documents and online help are companions to the Symantec Encryption Management Server Administrator s Guide. This guide occasionally refers to information that can be found in one or more of these sources: Online help is installed and is available in the Symantec Encryption Management Server product. Symantec Encryption Management Server Installation Guide Describes how to install the Symantec Encryption Management Server. Symantec Encryption Management Server Upgrade Guide Describes the process of upgrading your Symantec Encryption Management Server. Symantec Encryption Management Server Mail Policy Diagram Provides a graphical representation of how email is processed through mail policy. You can access this document via the Symantec Encryption Management Server online help. You can also access all the documentation by clicking the online help icon in the upper-right corner of the Symantec Encryption Management Server screen. Symantec Encryption Satellite for Windows and Mac OS X includes online help. Symantec Encryption Management Server and Symantec Encryption Satellite release notes are also provided, which may have last-minute information not found in the product documentation.