PKWARE Support Details

Support Hours and Contact Information 

  • Monday through Friday 8:00AM - 6:00PM Eastern Time Zone 
  • Technical Support 937-847-2687 
  • Customer Service 937-847-2374 
  • Request Tech Support Form

About This Guide

Welcome to PKWARE® Smartcrypt®. You have taken an important step to take control of sensitive data across your enterprise.   This guide will help you to deploy PK Protect throughout your enterprise.  In this guide, you’ll learn to:  

  • Plan your PK Protect Installation: What you need to know, and have on hand before setting up PK Protect.
  • Install the PK Endpoint Manager: Whether you’re using Windows Server or a Linux-based appliance. 
  • Set up system backups and restores to ensure the PK Protect database is always available
  • Deploying PKWARE agents: Sensitive data lives on a variety of remote client devices. This chapter helps you get PK Protect running on Windows, Mac and Linux/UNIX. 
  • Uninstall agents from client devices: PK Protec users and their devices are always changing. Ensure that sensitive data stays with you when a device goes out of service.

Planning a PKWARE Installation

The following table lists sizing recommendations for PK Endpoint Manager instances based on your average use cases and hardware demands. The specific recommendations for your company depend on the specific growth type, intensity and use cases. We recommend that you collaborate with one of our Sales Engineers to receive a specific recommendation. If you're interested in more information, please contact us.

  • PoC / Small Scale: Suitable for proof-of-concept, test or development environment.  App/DB server on same system is fine. 
  • Medium Scale: Consider using medium App/DB server instances with multiple cores and fast access to disk. 
  • Large ScaleRecommend using high processing power (e.g. dual quad core or higher) and ensuring high I/O performance to disk.

High availability and fail over recommendations:

PK Protect Application

  1. Configure a farm (two or more identical application servers running in separate operating system server instances)
  2. Use memcached for real time sharing of authentication tokens and other time-sensitive data between servers in the farm
  3. Use a load balancer that can detect and react to lost application server instances quickly. Alternatively you can load balance with DNS. Note: this still requires memcached.
  4. For memcached failover (if required), configure a memecached farm.

PK Protect Database
  1. Setup MS SQL Server cluster

Sizing PoC / Small ScaleMedium ScaleLarge Scale
Data Security Intelligence Enabled

Active / Concurrent Users
(Assumes 2.5 devices per user) 


(User and Admin generated)

Security Policies~55001000
Application Server CPU2vCPU2x 4vCPU4x 4vCPU
Application Server Memory4GB>8GB>16GB
Database Server CPU2vCPU4vCPU8vCPU
Database Server Memory4GB16GB64GB
Database Server Disk Space~ 4GB/mo40GB/mo 
Data Security Intelligence Disabled
Active / Concurrent Users
(Assumes 2.5 devices per user)

(User and Admin generated)

Smartkeys created per month200400020,000
Secuirty Policies550 100
Application Server CPU2vCPU2vCPU2vCPU
Application Server Memory4GB4GB4GB
Database Server CPU2vCPU2vCPU~2vCPU
Database Server Memory> 100MB1-5GB10GB
Database Server Disk Space~1GB2GB

Appliance 200v: Deployment Strategy

For proof-of-concept and lab environments, a single appliance is supported. For production use, a minimum of two appliances is required. PKWARE recommends two appropriately-sized appliances per physical data center. For example:

  • A 10,000-user enterprise with east and west coast data centers could deploy a 4-appliance cluster. Virtual Data Centers would be defined to partition west coast and east coast users to the two appliances closest to them, with appropriate considerations made for an organization's Active Directory Organization Unit configuration strategy.
  • A 50,000-user enterprise with a large US production data center, US disaster recovery (DR) site and branch offices in Germany and and the UK could deploy six units. Two in the production data center, two at the DR site and one in each of the branch offices. The master database would reside in the production data center and during DR testing / recovery one of the slave units in the DR site would be promoted to master.

Installing a PKWARE Enterprise Manager

Windows Server Installation and Setup


 The purpose of this guide is to describe the environmental requirements and steps required to configure the PK Endpoint Manager and associated PK Protect Application (Agent).

What you will need:

  1. A Windows Server to host the PK Endpoint Manager. This server should be joined to an Active Directory domain.

  2. A SQL Server or PostgreSQL 9.5 Database where PK Endpoint Manager application data will live. Before installing you should obtain:

    1. Database server instance name

    2. Database name

    3. Database username with access to the above database

    4. Database user password

    5. The port the database server connects to
  3. An SSL certificate that matches the hostname you wish to use for the PK Endpoint Manager 

  4. (optional) A DNS record for "pkwareops.[domain.ext]" published into your internal/external DNS. The PK Protect application will look for this record by default.

  5. (optional) To test local search, install Java 11 (AdoptOpenJDK) and ElasticSearch

What this guide will cover:

  1. Scripted installation.
  2. SQL database requirements and setup.
  3. IIS website / application pool requirements and setup.
  4. TLS / SSL configuration and connectivity.
  5. Deployment of the PK Endpoint Manager.

Active Directory Authentication Note:


The Windows Server that will host the PK Endpoint Manager site/application needs to have access to authenticate with your Active Directory. This authentication occurs over the standard Active Directory Domain Services protocols. For more information about ports that are needed for the Windows Server to have access to the domain, see:

Windows Server Core Installations:

Looking for instructions for installing on Windows Server Core? We've got you covered here: Windows Server Core Installation and Setup Guide

Scripted Installation

Since v15.3, you have the option to perform a scripted installation of the PK Endpoint Manager. Contact your PKWARE account representative to obtain the appropriate package for your platform.

Steps performed

The script performs the following steps, in order:

  1. Checks numerous system dependencies.
  2. Installs and configures appropriate Internet Information Services (IIS) Roles and Features.
  3. Allows the Administrator to select a database type for PK Endpoint Manager. Choose from:
    1. A local database instance of PostgreSQL. The script will install and configure the database while prompting the Administrator to set a DB Instance Master password and DB access password.
    2. An external MS-SQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
    3. An external PostgreSQL database which the script will later require information for (Hostname, Database Name, DB Username, DB Password).
  4. Configures the PK Endpoint Manager website and an associated Application Pool in IIS.
  5. Generates and binds a Self-Signed Certificate to the website.
  6. Prompts the administrator to supply a default encryption master password.
  7. Prompts the administrator to supply a default system administration account for the Smartycrypt Manager.

Notes for the scripted deployment option:

  • The use of the Self-Signed Certificate created during the scripted installation is intended for PK Protect use in lab or non-production environments for a proof of concept or evaluation purposes. To install a trusted, rooted or other certificate, please follow the steps below
    • To import a certificate in Windows 2012

      1. Open the Certificates snap-in for the local machine's certificate store: Start | Run | certlm.msc
      2. In the console tree, click the Personal store
      3. On the Action menu, point to All Tasks, and then click Import to start the Certificate Import Wizard.
      4. Type the file name containing the certificate to be imported. (You can also click Browse and navigate to the file.)
      5. This certificate should have a private key (PKCS #12 file)
      6. Type the password used to encrypt the private key.
      7. (Optional) If you want to back up or transport your keys at a later time, select the Mark key as exportable check box.
      8. Select Place all certificates in the following store, click Browse, and choose the Personal store.
  • When this process is completed, a Hosts file (Windows/System32/driver/etc/hosts) or DNS entry, pointing directly to one or more IP addresses (an A record), will be required for client machines to connect back to the Manager.

Running the installation script

  1. Log in to the Windows Server environment and copy the SEM installation package to the Windows Server. Extract the .ZIP package.
  2. Run Microsoft PowerShell as an Administrator.
  3. Change to the directory location where you extracted the SEM installer.
  4. Execute ./sc_install.ps1.
  5. Press R when asked "Do you want to run <install.ps1>?

The system (if network connected) will attempt to download/install all Windows features required to run the SEM, including all prerequisite Microsoft Internet Information Server (IIS) modules and .NET Core Server.

PS C:\Windows\system32> cd C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152
PS C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152> .\install.ps1
Checking Prerequisites...
Checked Prerequisites.
Enabling IIS-WebServerRole...
Enabled IIS-WebServerRole.
IIS-WebServer is enabled.
IIS-CommonHttpFeatures is enabled.
IIS-DefaultDocument is enabled.
IIS-HttpErrors is enabled.
IIS-StaticContent is enabled.
IIS-HealthAndDiagnostics is enabled.
IIS-HttpLogging is enabled.
IIS-Performance is enabled.
IIS-HttpCompressionStatic is enabled.
IIS-Security is enabled.
Enabling IIS-WindowsAuthentication...
Enabled IIS-WindowsAuthentication.
IIS-ApplicationDevelopment is enabled.
Enabling NetFx4Extended-ASPNET45...
Enabled NetFx4Extended-ASPNET45.
Enabling IIS-NetFxExtensibility45...
Enabled IIS-NetFxExtensibility45.
Enabling IIS-ASPNET45...
Enabled IIS-ASPNET45.
IIS-ISAPIExtensions is enabled.
IIS-ISAPIFilter is enabled.
IIS-WebServerManagementTools is enabled.
IIS-ManagementConsole is enabled.
Installing .NET Core 2.1.7 Server Hosting...
Installed .NET Core 2.1.7 Server Hosting.

Installing PostgreSQL

PK Endpoint Manager supports Microsoft SQL Server and PostgreSQL 9.5 database management systems. The SEM installation script will prompt you to "install postgres to use later." Press enter to skip installation, or Y to install and configure PostgreSQL locally.

If you choose not to install PostgreSQL, it is assumed a remote database server will be used.

Below is the sample output from a basic installation. The installation script will also prompt for hostname. This is used to generate a self-signed certificate and set up the hostname and SSL bindings for the site that is created

Would you like to install postgres to use later?
[Y] Yes  [N] No (default is N): n
Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\"->"C:\PKWARE\SmartcryptEnterpri
Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\"->"C:\PKWARE\SmartcryptEnterpris
Expanding Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\"->"C:\PKWARE\SmartcryptEnte
Expanded Archive ("C:\Users\jack_d\Desktop\SmartcryptMgrTDE-18.0.152\"->"C:\PKWARE\SmartcryptEnter

Configuring PK Endpoint Manager

The script continues to create the PK Endpoint Manager database.

You'll be asked to configure S\PEM.

  • Existing or New site: Default is New, but if you have already set up SEM on IIS, type E.
  • Name the Site: Default is PK Protect
  • Physical Site Location: Default is c:\inetpub\wwwroot. Edit as required.
  • Application Name: Default is mds.
Existing Sites:
Name              Physical Path
----              -------------
Default Web Site  C:\inetpub\wwwroot

Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a new Smartcrypt enterprise manager site?
[E] Existing  [N] New  [Escape] Cancel (default is "N"): N

Confirm Configure New Smartcrypt Enterprise Manager Site
Are you sure you want to configure a new Smartcrypt enterprise manager site?
[Y] Yes  [N] No (default is "Y"): Y

Setting Up New Smartcrypt Site...
Confirm Site Name
Configure site name to be "Smartcrypt"?
[Y] Yes  [N] No (default is "Y"):

Confirm Physical Site Location
Configure physical site location to be "C:\inetpub\wwwroot"?
[Y] Yes  [N] No (default is "Y"):

Confirm Application Name
Configure application name to be "mds"?
[Y] Yes  [N] No (default is "Y"):

The script will display the existing Application Pools on IIS.

  • New Application Pool: Default is New. Highly recommended.
  • Application Pool Name: Default is PK Protect.
  • Hostname: Default is the current machine.
  • HTTPS Certificate: Default is to create a new self-signed X.509 certificate for the host.

The script will create a new self-signed certificate, and ask you to confirm that you want to use it.

Existing AppPools:
Name               Runtime Version
----               ---------------
DefaultAppPool     v4.0
.NET v4.5 Classic  v4.0
.NET v4.5          v4.0

Configure Smartcrypt Enterprise Manager
Would you like to configure an existing or create a new application pool?
[E] Existing  [N] New  [Escape] Cancel (default is "N"):

Confirm Configure New Application Pool
Are you sure you want to configure a new application pool?
[Y] Yes  [N] No (default is "Y"):

Confirm Application Pool Name
Configure application pool name to be "Smartcrypt"?
[Y] Yes  [N] No (default is "Y"):

Hostname: mkesrv-jd01.qanet.dom
Confirm Hostname
Set hostname to be "mkesrv-jd01.qanet.dom"?
[Y] Yes  [N] No (default is "Y"): y

Current Certificates:
Thumbprint  Subject  Friendly Name
----------  -------  -------------

Https Certificate
Would you like to create a new certificate, import a certificate, or use an existing installed certificate?
[N] New  [E] Existing (default is "N"):

Confirm Certificate
Are you sure you want to create a new self signed certificated for host=mkesrv-jd01.qanet.dom
[Y] Yes  [N] No (default is "Y"):

Creating New Self Signed Certificate...
Created New Self Signed Certificate.
Confirm Certificate
Do you want to use this certificate?
Thumbprint                                Subject                   Friendly Name
----------                                -------                   -------------
07C844B4E67F4F9D3929D3DD20510571B8F51F09  CN=mkesrv-jd01.qanet.dom  Smartcrypt

[Y] Yes  [N] No (default is "Y"):

Connecting to the Database

The script then checks for a connection to the database, and allows you to configure the connection.

  • Confirm Database Platform: Default is SQL Server. To change to PostgreSQL, type N and enter postgresql.
  • Database Server: Identify the location of the database server.
  • Confirm Port: Enter the port for the database.
  • Database: Name the database.
  • User Id: Identify the owner of the SEM database.
  • Password: Supply the database server password for the user you just identified.
  • Add Extra Parameter: Default is No. If you want to set an additional required string to access the database, define that here.

The script displays the Connection Information you've entered, and tries to connect. If the database connection is valid, you are asked to confirm the configuration.

Database Connection Information:
  Platform:  SQLServer
  User Id:

Database connection is invalid.

Confirm Database Platform
Set database platform to be "SQLServer"?
[Y] Yes  [N] No (default is "Y"):

Database Server: qasrv-db01.qanet.dom
Confirm Database Server
Set database server to be "qasrv-db01.qanet.dom"?
[Y] Yes  [N] No (default is "Y"): y

Confirm Port
Set port to be "1433"?
[Y] Yes  [N] No (default is "Y"):

Database: 180
Confirm Database
Set database to be "180"?
[Y] Yes  [N] No (default is "Y"):

User Id: qa
Confirm User Id
Set user id to be "qa"?
[Y] Yes  [N] No (default is "Y"):

Add Extra Parameter
Would you like to add an extra connection string parameter?
[Y] Yes  [N] No (default is "N"):

Database Connection Information:
  Platform:  SQLServer
  Server:    qasrv-db01.qanet.dom
  Database:  180
  User Id:   qa
  Port:      1433

Testing Connection... [                    ]   100 %

Database connection is valid.

Confirm Database Connection Configuration
Would you like to use this database connection configuration?
[Y] Yes  [N] No (default is "Y"): y

Configuring PK Endpoint Manager in IIS

Enter the PK Endpoint Manager Account Password to access SEM.

You'll next be asked to configure the local Administrator user. Supply a username (default is Administrator) and password.

The script will set up an Application Pool, Site and Application in IIS on the server.

Smartcrypt Enterprise Manager Account Password:
Smartcrypt Enterprise Manager Account Password (confirmation):

Confirm Local Administrator User
Configure local administrator user to be "Administrator"?
[Y] Yes  [N] No (default is "Y"): y

Local Administrator Password:
Local Administrator Password (confirmation):

Creating New AppPool "Smartcrypt"...
Created New AppPool "Smartcrypt".
Creating New Site "Smartcrypt"...
Created New Site "Smartcrypt".
Setting Application "/" AppPool...
Set Application "/" AppPool.
Creating New Application "mds"...
Created New Application "mds".
Setting Application "mds" AppPool...
Set Application "mds" AppPool.
Setting Application "mds" Windows Authentication...
Set Application "mds" Windows Authentication.
Upgrading database
INFO:  Database is currently at version: 0.0
INFO:  Current version is not equal to the target version
INFO:  Upgrading to version: 1.0.60
INFO:  Upgrading to version: 1.0.61
INFO:  Upgrading to version: 1.0.62
INFO:  Upgrading to version: 1.0.63
INFO:  Upgrading to version: 1.64
INFO:  Upgrading to version: 1.65
INFO:  Upgrading to version: 1.66
INFO:  Upgrading to version: 1.67
INFO:  Upgrading to version: 1.68
INFO:  Upgrading to version: 1.69
INFO:  Upgrading to version: 1.70
INFO:  Upgrading to version: 1.71
INFO:  Upgrading to version: 1.72
INFO:  Upgrading to version: 1.72.1
INFO:  Upgrading to version: 1.72.2
INFO:  Upgrading to version: 1.73
INFO:  Upgrading to version: 1.74
INFO:  Upgrading to version: 1.75
INFO:  Upgrading to version: 1.76
INFO:  Upgrading to version: 1.77
INFO:  Upgrading to version: 1.78
INFO:  Upgrading to version: 1.79
INFO:  Upgrading to version: 1.80
INFO:  Upgrading to version: 1.80.1
INFO:  Upgrading to version: 1.81
INFO:  Upgrading to version: 1.82
INFO:  Upgrading to version: 1.83
INFO:  Upgrading to version: 1.83.1
INFO:  Upgrading to version: 1.84
INFO:  Upgrading to version: 1.85
INFO:  Upgrading to version: 1.86
INFO:  Upgrading to version: 1.87
INFO:  Upgrading to version: 1.88
INFO:  Upgrading to version: 1.89
INFO:  Upgrading to version: 1.90
INFO:  Upgrading to version: 1.91
INFO:  Upgrading to version: 1.92
INFO:  Upgrading to version: 1.93
INFO:  Upgrading to version: 1.94
INFO:  Upgrading to version: 1.95
INFO:  Upgrading to version: 1.96
INFO:  Upgrading to version: 1.97
INFO:  Upgrading to version: 1.98
INFO:  Upgrading to version: 1.99
INFO:  Upgrading to version: 2.0
INFO:  Upgrading to version: 2.1
INFO:  Upgrading to version: 2.1.1
INFO:  Upgrading to version: 2.2
INFO:  Upgrading to version: 2.3
INFO:  Upgrading to version: 2.4
INFO:  Upgrading to version: 2.5
INFO:  Upgrading to version: 2.6
INFO:  Upgrading to version: 2.7
INFO:  Upgrading to version: 2.8
INFO:  Upgrading to version: 2.9
INFO:  Database is currently at version: 0.0
INFO:  Current version is not equal to the target version
INFO:  Upgrading to version: 1.0
INFO:  Upgrading to version: 1.1
INFO:  Upgrading to version: 1.2
INFO:  Upgrading to version: 1.3
INFO:  Upgrading to version: 1.4
INFO:  Upgrading to version: 1.5
INFO:  Upgrading to version: 1.6
INFO:  Upgrading to version: 1.7
Saving IIS Changes
Starting AppPool

Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted

IIS Manager - Application Pool View

You are now able to open SEM on https://<hostname>/mds. If you are not able to reach the site, confirm the hostname is routeable via DNS or a hostfile.


Mobile and IOS devices cannot connect to the SMDS when it has been configured with this script. This is because these devices cannot use the self-signed certificate created by the setup script. Installing a trusted certificate will allow these types of devices to connect to SMDS.

SQL Server database requirements and setup: 

The PK Endpoint Manager requires an empty database, appropriate authentication credentials and permissions.  Please perform the following actions, consulting the documentation for your version of SQL Server, if necessary.

      1. Login to your SQL Server and create an empty database

        1. Give the database a name and note the name down for later (e.g. "PK Protect")
        2. Set the database collation to:  Latin1_General_CI_AS
      2. Create a database user which the PK Endpoint Manager will use to authenticate to this instance (e.g. pk protect-user)
        1. Set a database user password and be sure to uncheck options for "Must change password at next logon
        2. Give the database user the "db_owner" right to the PK Protect database you created above

For More Information about how to authenticate to Microsoft SQL Server, see:

IIS website / application pool requirements and setup:

Perform the following steps on the Windows Server running IIS:

      1. Install the Visual C++ 2012 Runtime
      2. Configure Internet Information Server (IIS) for Smartcrypt
      3. Install Web Deploy with Microsoft Web Platform Installer
      4. Configure Windows Authentication
      5. Adding an Application Pool
      6. Adding a Website
      7. Configuring the website for SSL

Install the Visual C++ 2012 Runtime 

PK Protect is developed with Microsoft® Visual Studio® 2012. The Microsoft Visual C++ redistributable enables some required features for PK Protect. Since PK Protect was created using Visual Studio 2012, the 2012 redistributables are required.

      1. Download and install the 64-bit version of the redistributable found here:

Configure Internet Information Server for PK Protect

Prior to installing the PK Endpoint Manager website, you must have two features installed and configured on IIS. There are important, if slight, differences in the setups depending on which version of Windows Server you are running.

If you already have these features installed and configured, no changes are required. Skip to “Install Smartcrypt Enterprise Manager.”

Setting up IIS in Windows Server 2012 R2

Setting up IIS in Windows Server 2008 R2

Launch the Server Manager and select IIS

      1. Click Add Roles and Features
      2. Skip the Before you begin page. Click Next
      3. On the Installation Type page, select Role-based or feature-based installation. Click Next
      4. On the Select destination server page, choose the server you will install PK Protect on. Click Next
      5. Existing installations of IIS, Skip to Step 10
      6. On the Server Roles page, select Web Server (IIS)
      7. On the Features page, expand .NET Framework 4.5 Features and check: ASP.NET 4.5
      8. On the Roles Services page
        1. Expand Security and check Windows Authentication
        2. Expand Application Development and check .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions and ISAPI Filters.
      9. New installations of IIS, Skip to Step 11
      10. Existing Installations of IIS, verify that the following Server Roles are enabled:
        1. Web Server (IIS) | Web Server | Security | Windows Authentication
        2. Web Server (IIS) | Application Development | .NET Extensibility 4.5, ASP.NET 4.5, ISAPI Extensions, ISAPI Filters
      11. Confirm your installation selections and click Install.

Windows Add Server Roles Wizard

Launch the Server Manager and select Web Server (IIS).

      1. If ASP.NET and/or Windows Authentication appear as Not Installed in the Role Services list, click Add Role Services
      2. Under Application Development, check ASP.NET
      3. Click Add Required Role Services and add:
        1. .NET Extensibility
        2. ISAPI Extensions
        3. ISAPI Filters
      4. Expand Security and check the Windows Authentication box
      5. Click Install

Enabling .NET Framework 4 Support in IIS (Windows Server 2008)

After installing the ASP.NET features in the Server Manager, you must still enable the .NET Framework in Windows Server 2008. This is done from an Administrator command prompt.

      1. Open the Command Prompt.
      2. Go to C:\Windows\Microsoft.NET\Framework64\v4.0.xxxx
      3. Run the following command:

        aspnet_regiis.exe -i
      4. ASP.NET RegIIS will install ASP.NET.

Install Web Deploy with Microsoft Web Platform Installer 

Install Web Deploy through the Microsoft Web Platform Installer (WPI), a free Microsoft tool to install a variety of products into IIS. Download WPI from

After you download wpilauncher.exe, run it to see the Web Platform Installer screen. Click the Search box in the upper right corner and type "Web Deploy." Several options may appear, depending on what applications are supported. For your initial installation, we recommend you select the most recent version of Web Deploy with bundled SQL support. At the time this was written, 3.5 was the latest version so for example, Click Add on Web Deploy 3.5 with bundled SQL support. WPI will install everything you need.

Configure Windows Authentication 

After adding Windows Authentication to the Windows Server configuration, you must further configure the IIS Manager to permit this. The steps to allow single sign on are the same for both Windows Server 2008 and 2012:

      1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager)
      2. In the Management section, select Feature Delegation
      3. Change the Authentication - Windows setting to Read/Write
      4. From the main window, click Authentication.
        IIS Server Authentication Configuration
      5. Right click on Windows Authentication and select Enable (it not already enabled)

Windows Authentication - Enable

Adding an Application Pool 

      1. Open the IIS Manager (Control Panel > Administrative Tools > Internet Information Services Manager).
      2. Click View Application Pools to display existing pools.
      3. Click Add Application Pool.
      4. Give the Application Pool a name (possibly something like “MDS"). It is appropriate to accept the remaining default options.

Application pool settings

Adding a website 

      1. Download the latest package ZIP file from PKWARE to your server. Note: Do not extract the contents of the ZIP archive.
      2. In IIS Manager, go to Sites.
      3. Click Add Website. Name it PK Endpoint Manager. The Add Website dialog will open.
        Add new website wizard
      4. Choose a Site name. This can be the same as the Application Pool.
      5. Use the Select button to make sure you select the application pool you created in the previous section.
      6. Define the physical path to the content directory
      7. (Optional) Select a host name for the site. If you give the website a host name, make sure your domain has proper routing for the host defined in DNS.

If you are accessing PK Endpoint Manager from outside your internal network domain, you also need to create a public DNS entry.
Make sure that the DNS entry points to one or more defined IP addresses (an A Record). PK Endpoint Manager needs a fully qualified domain name to authenticate agents.

Click OK to complete this step and add the website.
Configure New Website

Configuring the website for SSL 

The PK Endpoint Manager requires an SSL connection to protect data being posted to the server. We need to add a binding to enable SSL for this website.

      1. Highlight the website you created in the earlier section. Select Bindings from the Edit Site options on the right. 
      2. The Add Site Binding screen appears. Select https from the Type: dropdown menu.
      3. Click Select to choose the SSL Certificate to use for this site.

Site binding settings

Bind SSL certificate to website

Verify SSL is working properly!

Verify the site is working properly by pointing your browser to https://<server>/ – you should see the IIS Welcome Page.

Verify the certificate is trusted on your other devices!

If you are using a self-signed certificate, this will require additional steps. Learn how to trust any certificate here.

Installing PK Endpoint Manager 

Now that the prerequisites are fulfilled, we are ready to install the PK Endpoint Manager.

Note: The next section assumes you have a .ZIP file containing the PK Endpoint Manager deployment package.

Importing the .ZIP file containing the PK Endpoint Manager web application with Web Deploy

      1. Highlight the website created above
      2. In the Action menu on the right side of the screen, select Import Application from the Deploy section
        Deploying site contents with Web Deploy
      3. Web Deploy will launch and ask you to select the PK Endpoint Manager .ZIP file. Browse to the directory where the PK Protect package is located, select the ZIP, and click Next
        Navigate to web deploy package
      4. Web Deploy will scan the ZIP package contents and display them. Review the contents of the package, and click Next to confirm
        Web Deploy reading package
      5. Web Deploy will prompt for some application configuration options on the Enter Application Package Information page:
        Web Deploy website settings
      6. Set the Application Path to "mds" without the quotes. This is the name of the web application. This name the will appear in the URL you will use to access the Manager
      7. Set the PK Endpoint Manager Server Password. This password is used to encrypt your encryption keys. It should be securely backed up and not shared with PKWARE.
      8. Define a root administrator account for the PK Endpoint Manager. This can be a domain account or a local account.  
        1. Domain Account: set a username (AD SysAdmin) only and leave the next two fields blank.
        2. Local Account: set a username (Local SysAdmin) and a password (Local SysAdmin Password) and leave the AD SysAdmin field blank.
      9. Set the parameters of the connection string with the information from your database administrator. This value connects PK Endpoint Manager to the database you initially setup
        1. datasource: The database server name or IP
        2. initial catalog: The name of the database to be used by the PK Endpoint Manager
        3. dbuser: The database server username
        4. dbpassword: The database user password
        5. Click Next to install PK Endpoint Manager via Web Deploy

Web deploy progress

Creating the PK Protect database schema

Now that the web application is set up and deployed with SSL configured, the last item we need to complete is populating the PK Protect database with the initial schema. PK Protect comes with a tool to complete this task for you called SmartcryptDB.exe.  From the application server running IIS:

      1. Open a command window (cmd).
      2. Change directory to the location you installed the website to (above) and look for the bin directory.
      3. Now execute SmartcryptDB.exe.
      4. The tool should run and set up the required scheme for the version of the PK Endpoint Manager you have.

Manually updating Smartcrypt Database schema

Make sure your Application Pool is started and your website is started in IIS. Next, point your browser to https://<server>/<ApplicationPath>/SuperUser to login with the System Administrator credentials (Active Directory or Local) and start using PK Protect.


General Appliance Overview


The PK Endpoint Manager Appliance comes in four configurations

  • 200v :: A virtual appliance suitable for utilizing within your own virtual infrastructure.
  • 300h :: A hardware appliance that contains a hardware security module (HSM) for FIPS 140-2 Level 3 key storage.
  • 300r :: A hardware appliance that contains a quantum-powered true random number generator provided by Quintessence Labs.
  • 350 :: A hardware appliance that contains both an HSM and a quantum random number generator.

Note: A PK Endpoint Manager can be configured to use a pre-existing, external Quintessence Labs Trusted Security Foundation for HSM backed secure key storage or quantum random number generation.

The following documentation applies to only the 200v

Hypervisor Support (200v only)

The PK Endpoint Manager Appliance is officially supported on VMware vSphere v5.5+ but should run in any hypervisor including Microsoft Hyper-V, Citrix Xen Server and Linux KVM. It will also run in many Type-2 hypervisors including VMware Fusion, Workstation, VirtualBox and Hyper-V on Windows.

Note: For customers wishing to install the PK Endpoint Manager onto their own application and database infrastructure, a software only (non-Appliance) version is available.

Appliance Setup and Configuration Quick Start

Before you set up the SEM Appliance, be sure you have these prerequisites in place:

  • VMware virtual machine set up to host the SEM
  • Active Directory account to serve as the SEM SuperAdmin
  • (Optional) A digital certificate to enable LDAP-S
  • PKWARE will supply access to the base OVA file to import into VMware. You will upgrade to the latest SEM version during the setup process.

To set up PK Endpoint Manager in VMware:

  1. Import PK Protect OVA file.

    1. You should have received this file from PKWARE.
  2. Login and Accept End User License Agreement.

  3. Update to current SEM version. (17.7 and below only)

    1. You'll receive access to the upgrade files from PKWARE. This is a three-step process:
    2. Upgrade to 17.7 (This will allow large uploads to be enabled, as the base image doesn't allow large uploads)
    3. Upgrade to the OS Upgrade Pack
    4. Upgrade to the 18.1.X version
    5. See "Upgrading the PK Endpoint Manager Appliance" for more information.
  4. Create the Server Identity Account.

    1. Add username and a master password for SEM.
  5. Acquire evaluation license

  6. Configure Network / Hostname

    1. Go to System > Network in SEM. Click Configure Network. Check Use DHCP to have the system identify available IP addresses for this SEM. You can also configure the network manually by filling out the remaining fields. If you do that, be sure to update the system's Hosts File; Click Host File on the Network page to edit this system file.
  7. Join Active Directory Domain

    1. If you're using Active Directory Integration to allow client agents to connect with the user's Active Directory credentials, you can (optionally) join the AD Domain to SEM. Go to System > Domain. Click Join Domain. Fill in the form. Click Join Domain. See the "Active Directory" section of the Basics page for more information.
  8. Configure TLS/SSL

    1. See "Security: Public Key Infrastructure and Certificates" for information on why this step is necessary.
    2. Upload Root: You need a root certificate, along with any intermediate certificates between the root and PKCS#12 certificate. Under System > SSL, click Upload Root under Custom Trusted Root Certificates. Browse to the *.cer file containing the fully qualified chain for your certificate. Click Upload.

    3. Upload PKCS#12 certificate. Under System > SSL, click Upload PKCS#12. Browse to the *.pfx file. Click Upload. This file will include at least the certificate’s private key and may include the entire certificate chain.

    4. Confirm connection. The Issuer of the SSL Certificates will have the same label as the Subject of the Custom Trusted Root Certificates on this page.

  9. Configure AD Connection for User Lookups

    1. Admins need to connect to Active Directory users to identify and manage clients, devices, and policies. Go to Basics and scroll to the Active Directory section. See the "Active Directory" section of the Basics page for more information.
  10. Set Primary Database Password

    1. You cannot back up the database without defining a primary database password. Go to System > Database. Click the Not Set line in Password. Type the master password.
  11. Set up a Cluster. See "Creating a New Cluster" for process.
  12. Join Replica

    1. See "Adding a new system to an existing Cluster" for process.
  13. Verify connectivity

    1. After pairing, you will be asked to reboot both systems. Go to System > Operations. Click Reboot. Following the system reboot, go to Advanced > Cluster. Both systems should be listed, and you should see the Polling active information at the bottom of the page.

  14. Advanced | Data Centers

    1. Setup first data center. See "Creating a New Data Center" for process.

Security: Public Key Infrastructure and Certificates

Use of digital certificates for encryption and digital signing relies on a combination of supporting elements known as a public key infrastructure (PKI). These elements include software applications such as PK Protect that work with certificates and keys as well as underlying technologies and services.

The heart of PKI is a mechanism by which two cryptographic keys associated with a piece of data called a certificate are used for encryption/decryption and for digital signing and authentication. One of the keys is private and must be kept secure so that only its owner can use it. The other is a public key that may be freely distributed for anyone to use to encrypt data intended for the owner of the certificate or to authenticate signatures. The keys look like long character strings but represent very large numbers. 

End entity certificates and their related keys are used for signing and authentication. They are created at the end of the trust hierarchy of certificate authorities. Each certificate is signed by its CA issuer and is identified in the “Issued By” field in the end certificate. In turn, a CA certificate can also be issued by a higher level CA. Such certificates are known as intermediate CA certificates. At the top of the issuing chain is a self-signed certificate known as the root.

How the Keys Are Used

With encryption/decryption, a copy of the public key is used to encrypt data such that only the possessor of the private key can decrypt it. Thus anyone with the public key can encrypt for a recipient, and only the targeted recipient has the key with which to decrypt.

With digital signing and authentication, the owner of the certificate uses the private key to sign data, and anyone with access to a copy of the certificate containing the public key can authenticate the signature and be assured that the signed data really proceeds unchanged from the signer.

Authentication for an X.509 key has one additional step. As an assurance that the signer is who he says he is—that the certificate with Bob’s name on it is not fraudulent—the signer’s certificate itself is signed by an issuing certificate authority (CA). The CA in effect vouches that Bob is who he says he is. The CA signature is authenticated using the public key of the CA certificate used. This CA certificate too may be signed, but at some point the trust chain stops with a self-signed root CA certificate that is simply trusted. The PKI provides for these several layers of end-user public key certificates, intermediate CA certificates, and root certificates, as well as for users’ private keys

Installing PKWARE Agents

Windows Installation

Graphical Installation
  1. Right click on the Windows Installer and choose "Run as administrator".
  2. Review and accept the license agreement.
  3. Select a setup type of either typical or custom.
    1. Typical will install all program features.
    2. Custom allows you to choose which programs and features you wish to install.
  4. Launch Smartcrypt by double clicking on the Smartcrypt icon from the desktop.

Command Line Installation

You can install Smartcrypt from the Windows command-line prompt or a batch file. In the command line, you can set values for various properties to customize the installation.

The command line looks like this:

<name of smartcrypt installation file> /S /v"<properties>"


  • /S is a switch that tells InstallShield® to run silently and not to display various initial screens (that say, for example,  Preparing to install )

  • /v is a switch that must be used to pass any specified Smartcrypt properties to the Windows installer.

  • <properties> is a list of property settings

You can also optionally pass in a switch to specify either the Basic UI, that displays a dialog containing only a Cancel button to allow canceling of the installation; or No UI, that displays no dialog. Both Basic UI and No UI can run unattended. The default is the full, graphical UI, which is interactive and so cannot run unattended.

/qbBasic UI
/qnNo UI

Any quotes (") in the parameters must be escaped with a backslash (\).

<name of smartcrypt installation file> /S /v/qb
<name of smartcrypt installation file> /S /v"/qb PKPGPASSOC=0"

The properties you can set or change are described below:

By default, the Smartcrypt installer adds the command line program to the system's PATH. To disable the Smartcrypt command line interface from being added to the system PATH environment variable, type a command like this:

<name of smartcrypt installation file> /S /v"ADD_TO_PATH=0"

By default, the command line interface is included in your Smartcrypt installation. If you prefer to only use the graphical interface, use this command:

<name of smartcrypt installation file> /S /v"CLI=0"

If you want to only run Smartcrypt through its command-line interface, you can disable all graphical elements by setting the GUI property to 0 using a command line like this:

<name of smartcrypt installation file> /S /v"GUI=0"

Caution: Disabling the graphical interface also turns off Smartcrypt Attachments, SaveSecure Office Integration and all file associations.

By default, the installation associates with Smartcrypt the types of files listed in the following table. These file associations enable you to open a file of any of these types in Smartcrypt by double-clicking it in Windows Explorer.

File TypeProperty

If you do not want a particular file type associated with Smartcrypt, set the corresponding property to 0 in the command line. For example:

<name of smartcrypt installation file> /S /v"PKPGPASSOC=0"

 By default, the installation creates shortcuts to Smartcrypt. If you do not want a shortcut created in one of the places listed in the table below, set the corresponding property to 0.

Program group on start menuPKSTARTMENU

Smartcrypt Attachments, the extension module for zipping email messages and attachments, installs by default if Outlook is detected. To not install Smartcrypt Attachments, set the MAIL property to No using a command line like this:

<name of smartcrypt installation file> /S /v"MAIL=0"

macOS Installation


Installer Package on Desktop is shown in image

Double click the Smartcrypt installer package provided from your PKWARE representative.

Introduction Installation Prompt is shown to end user

Press, "Continue" to be guided through the steps necessary to install the Smartcrypt Client for Mac.
Installation License Prompt  is shown to the end user

Read through the software license agreement. Click, "Continue" to progress through the installation.

License Agreement is shown to the end user

After pressing, "Continue" a prompt will show to verify that you agree to the terms of the software license agreement. Click "Agree" to continue the software installation.

Installation Type is shown to the end user
Click, "Install" to perform a standard installation of Smartcryt for Mac.

Login requirement needed from the end user

Enter the administrative password to authorize the installation of Smartcrypt for Mac

Installation successful is shown to the end user

Verify the installation has completed by seeing this prompt and click, "Close"

Linux/Unix Installation and Removal

Installing on Debian Linux based distribution

 [user@deb-host ~]# dpkg -i Smartcrypt_CLI-15.10.0034-x86_64.deb

Removing on Debian Linux based distribution

[user@deb-host ~]# dpkg -r pkzip-server

Installing on RPM Linux based distribution

[user@rhel-host ~]# rpm -i Smartcrypt_CLI-15.10.0034-x86_64.rpm

Removing on RPM Linux based distribution

[user@rhel-host ~]# rpm -qa | grep PK
[user@rhel-host ~]# rpm -e PKZIP_Server

Installing on Solaris

# pkgadd -d Smartcrypt_CLI-15.10.0034-sun4u.pkg all
# pkgadd -d Smartcrypt_CLI-15.10.0034-i86pc.pkg all

Removing from Solaris

# pkgrm PKWpkzs

Installing on AIX

# installp -a -d <filename>.bff all

Removing from AIX

# installp -u pkzip-server.\*

Starting and Stopping the Agent

Running the program will automatically start the agent. If you wish the agent to start with a specific set of credentials, please see the next section on managing login credentials.

Starting the Agent

[user@rhel-host ~]$ pkzipc

Stopping the Agent on Linux

[user@rhel-host ~]$ /usr/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Linux 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991

Stopping the Agent on Solaris

$ /opt/pkware/pkzip/bin/pkagent --stop
PKWARE pkagent for Solaris 15.10.0034
Portions copyright (C) 1989-2016 PKWARE, Inc.
Stopping agent, PID=2991


[user@rhel-host ~]$ pkzipc -help
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2016 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending  
Usage: PKZIPC [command] [options] zipfile [@list] [files...]
   View .zip file contents: PKZIPC zipfile
   Create a .zip file:      PKZIPC -add zipfile file(s)...
   Extract files from .zip: PKZIPC -extract zipfile
The above usages are only basic examples of Smartcrypt's capability.

Enter 'C' to list Commands, 'O' to list Options or <Esc> to exit

Login Credentials

Creating your managed login credentials in the settings.json file

/usr/pkware/pkzip/bin/pkagent --config --interactive

PKWARE pkagent for Linux 17.10.0017
Portions copyright (C) 1989-2021 PKWARE, Inc.

Enter your Smartcrypt Server URL (optional): https://<SEMURL>/mds
Enter the email address:
Does the account "" authenticate with Active Directory
credentials [y/n]: y
Enter the Active Directory credentials for "": **********
PKMeta Initializing - Built Jan 13 2022 at 15:35:25
PKMeta initialized
Initialized Cluster Evaluator
Would you like to use a Smartcard for Multi-factor authentication (MFA)? [y/N]:


This method is not recommended as it can leave passwords exposed in history.

Creating your managed login credentials in the settings.json file

/usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --iwa password

Creating your unmanaged login credentials in the settings.json file

 /usr/pkware/pkzip/bin/pkagent --config --email user@domain.ext --master password

Listing Current Smartkeys

Listing current Smartkeys

ubuntu@ip-172-31-55-199:~$ pkzipc -listsm
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending

 -------------------------------  ------------------------------- 
             Name/URN                        Owner                
 -------------------------------  ------------------------------- 
 ubuntu's Shareable Smartkey           
 Personal Smartkey                 

Encrypting a file to a Smartkey encrypted archive

ubuntu@test-box:~$ pkzipc -add ~/sc-installs/ ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU=
Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method
Creating .ZIP: /home/ubuntu/sc-installs/
  Adding File: test-smartkey.txt Deflating    ( 0.0%), Encrypting, done.

View passphrase on Smartkey encrypted archive

ubuntu@test-box:~$ pkzipc -test -smartkeypass ~/sc-installs/</p><pre>Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending

Testing files from .ZIP: /home/ubuntu/sc-installs/

Smartkey passphrase: P4EhUuGKuaoDIJk3YKM4LVyhH0Qhin/aHjPSkwUgMRo=

Testing: test-smartkey.txt  OK

Create new Smartkey encrypted archive and output passphrase

ubuntu@test-box:~$ pkzipc -add ~/sc-installs/ ~/sc-installs/test-smartkey.txt -smartkey=default--MA_16_pRVZLqxK4LtDuUZPJQ0NQn4WVSbG3oywEHIcSEcJvcU= -smartkeypass

Smartcrypt(TM) Version 15 for Linux X86-64 Licensed Version 
Portions copyright (C) 1989-2015 PKWARE, Inc.  All Rights Reserved. 
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579 
7,890,465  7,895,434;  Other patents pending
* Strongly encrypting files with a passphrase using AES (256-bit)
* Using UTF-8 file names and comments
* Using default compression method

Creating .ZIP: /home/ubuntu/sc-installs/

Smartkey passphrase: YKlOSQMq7opMbPwKRBEin/PGQ9vBoVPaxMOvdO+n5ZI=

  Adding File: test-smartkey.txt Deflating    ( 0.0%), Encrypting, done.
-SmartkeyCreateCreate a new smartkey pkzipc -smartkeycreate=test
-SmartkeyModifyUse SmartkeyModify to change a Smartkey’s name, and access rights to data encrypted with this Smartkey. pkzipc -smartkeymodify=Test -smartkeyn="Test A"
pkzipc -smartkeymodify="Test AB" -smartkeyn="Test AC"
pkzipc -smartkeymodify="urn=smartcrypt--something-something" -smartkeys
-SmartkeyRemoveDelete any Smartkey with the SmartkeyRemove command pkzipc -smartkeyremove=”urn=Smartcrypt--something-something”
-ListsmartkeysDisplays a list of your Smartkeys and with =, displays a list of the users allowed to use that smartkey.pkzipc -listsm
pkzipc -listsm="Accounting"
-SmartkeySpecify a smartkey to be usedpkzipc -add -smartkey="urn=smartcrypt--something-something" *
pkzipc -add -smartkey="Accounting" *
-SmartkeyAllowAllows specified recipient(s) access to the Smartkey.pkzipc -smartkeym="urn=smartcrypt--something-something"
-SmartkeyDenyDenies specified recipient(s) access to the Smartkey.pkzipc -smartkeym="urn=smartcrypt--something-something"
pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeyd=@file.txt
-SmartkeyNameRenames the specified Smartkey

pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeyn="Test123"

pkzipc -smartkeym="Test 123" -smartkeyn="Test 12345"

-SmartkeyPassDisplay or write the random passphrase used in Smartkey based encryption to the console or a file.

pkzipc -add -smartkey="Sales Materials" -smartkeypass
pkzipc -add -smartkey="Sales Materials" -smartkeypass=mypass.txt

-SmartkeySetSpecifies recipients allowed access to the Smartkey, denying all others.pkzipc -smartkeym="urn=smartcrypt--something-something"
pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeys=@file.txt
pkzipc -smartkeym="urn=smartcrypt--something-something" -smartkeys

Uninstalling PKWARE Agents