"It is not possible to decrypt this message..." Unable to decrypt - Keyring does not contain usable private keys (PGP Encryption Desktop)
search cancel

"It is not possible to decrypt this message..." Unable to decrypt - Keyring does not contain usable private keys (PGP Encryption Desktop)

book

Article ID: 153195

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

When you attempt to decrypt a file or email, you receive the error message:

It is not possible to decrypt this message because your keyring does not contain usable private key(s)... 



This article describes several common scenarios in which this error might occur, and points to other answers that provide possible resolutions.


 

Cause

To begin, you should determine whether PGP Encryption Desktop actually has your keypair. This can be done by just looking at your key's icon.

The underlying cause of this error message is that PGP Encryption Desktop does not have access to the private key needed for decryption. This could be due to any of the following:

  • The sender simply encrypted the file or email using the wrong public key
  • You have not properly transferred your private key or keyrings from another computer
  • You have deleted or lost the private key needed for decryption

Resolution

In order to decrypt with any PGP Key, be it your own key, a corporate Additional Decryption Key, Organization Key, etc., you need to have the private key in your local keyring.  Not only do you need the private key, but you need to make sure the proper Key ID that was used to encrypt matches that of the key you would like to decrypt with.

For example, if you open the key properties, you will notice a Key ID with the convention of 0xABCD1234.  Check with your recipient and ask them which Key ID they used to encrypt.

Next, check your own keyring and see if you have the corresponding Private key to decrypt. 

An easy way to tell if you have a keypair is by looking at the Icon in question.  Consider the following two examples for illustrating this requirement:

 

Example of a public key by looking at the icon in your keyring

The following screenshot shows that the key is only a public key:

Notice the icon is a single key.  This means the key is only a public portion, and cannot be used to decrypt any data.



The screenshot below shows that the key includes both a public key and a private key, or a "Keypair":

In the screenshot above, notice that there are two key icons.  One with a blue tip, and one behind that key, indicating you have the private key or Keypair.  This key can be used to decrypt as long as the proper Key ID was used to encrypt.

Important Tip: If you go to export your key make sure you check the box "Include Private Keys".  If you don't check this box, then only the public portion will be exported, which cannot be used to decrypt:

Scenario 1: Only Public Key will be exported (No Key Pair):

 

Scenario 2: Keypair (Both Public and Private Keys will be exported. 
This option is required if you intend to use this key to decrypt.  If you don't have the option to include private keys, then this means you have only the public portion of the key and you will need to locate the keypair either with another .asc file or from a different location. 

 

The following are the steps to help you with this process:

  1. Click the PGP Tray lock icon in your system tray and then click Open Symantec Encryption Desktop:
  2. Click PGP Keys in the control box.
  3. Select the keyring that contains your key:
  4. Now locate your key inside the window on the right.  Based on your key's icon, complete either of the steps below.
  • If your key's icon is a pair of keys, then Encryption Desktop does have your keypair, and the error is likely occurring because the sender simply used the wrong public key during encryption. In this case, the resolution is simple: make your current public key available to the sender, then ask them to re-encrypt and re-send the file/email to you. If you suspect that the sender encrypted to the wrong public key, please refer to the following tutorial answers about ways to make your public key available to others: 

    180124 Send a public key via email

    180101 Submit a public key to the PGP Global Directory via Encryption Desktop

    180125 Submit a public key to the PGP Global Directory using a web browser

     
  • If your key's icon is just a single key, or you cannot locate your key at all, then Encryption Desktop does not have your keypair. In this case, you should consider the following common scenarios and refer to the appropriate knowledge base answers in the Additional Information section for further assistance.

Additional Information

153196 - Backup/Export PGP Keypairs

180127 - HOW TO: Add Existing Keyrings to PGP Desktop for Windows

180129 - HOW TO: Access the Backup Keyrings Created Automatically by PGP Desktop for Windows

180128 - HOW TO: Import a Keypair into PGP Desktop (Windows)

180130 - HOW TO: Reconstruct Your Private Key for Windows

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server

153477 - Import an ADK to Symantec Encryption Management Server (aka PGP Universal Server)