PGP Encryption Desktop does not automatically decrypt messages in Outlook (Outlook PST Growth Disabled - Symantec Encryption Desktop)
search cancel

PGP Encryption Desktop does not automatically decrypt messages in Outlook (Outlook PST Growth Disabled - Symantec Encryption Desktop)

book

Article ID: 153934

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server Drive Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

PGP Encryption Desktop Symantec Encryption Desktop has the ability to automatically encrypt and decrypt emails without having to go through a lot of steps. 

When a user sends a message, PGP Desktop can automatically find a key, and if available, will encrypt to it. 

On the other side of this, decryption is possible and when an incoming message arrives, PGP can decrypt this as well. 

If messages are coming in encrypted, but the PGP Encryption Desktop client will not automatically encrypt, there could be security policies that are in place that may be preventing this.

One of the symptoms that happen when the PGP message is not decrypted in Outlook is you will end up with attachments instead of being able to see the body of the message.

 

For Emails encrypted with PGP/MIME encoding, you will have two attachments:

  1. Version.txt
  2. Message.pgp


For Emails encrypted with PGP-EML encoding, you will have one attachment:

  1. Message.pgp

 

For emails encrypted with PGP Partitioned, the encrypted attachment will have a .pgp extension and for the message, you will simply see a block of ciphertext, such as the following example.

 

You may or may not receive an error message when you click on an encrypted message for decryption.  In some cases, when you click on a message, the PGP Tray notification states that the item is Not secured by sender - it is treated as an unencrypted message.

This article will offer troubleshooting steps to help resolve this issue.

 

Environment

  • Symantec Encryption Desktop 10.5 and above.
  • Microsoft Outlook 2013 and above.

Cause

By default, Symantec Encryption Desktop creates a PST file which it uses as temporary storage for email decryption.
This PST file is not added to the user's Outlook profile, but is named according to the Outlook profile name.

For example, if the profile is Outlook, this PST file will be created:

"%LOCALAPPDATA%\PGP Corporation\PGP\Outlook_U.pst"

Because of this, if your organization does not allow PSTs at all through GPO, this would be a problem for the decryption.

 

 

Please see the Microsoft article How to use Outlook policy to control PST use and creation in the Office 365 Import service for further information about the above registry entries.

Resolution

The following sections will provide information on how to get decryption operations to work, which include making changes to Outlook policies as well as PGP policies. 


Important Note on Outlook and Exchange Support:
PGP Encryption Desktop supports Outlook with standard email protocols, such as MAPI, POP, IMAP and SMTP.
Exchange 365, Exchange Online, Outlook 365, Office 365, Microsoft 365, or any other similar variants by Microsoft, are fully supported.
PGP Encryption Desktop uses these standard protocols that comply with specific standards and as long as the standards do not deviate from the above, Email Encryption will work.
Even MAPI using HTTPS/RPC is supported and works just fine.  For more information on this, reach out to Symantec Encryption Support.
IMSFR-512/EPG-22854

Section 1 of 7: Security Exclusions for PGP Encryption Desktop

Symantec always recommends adding exclusions to your security applications to ensure our software and drivers will be able to launch properly. 
For information on which binaries to add, see the following article:
200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

 

Section 2 of 7: Ensure you have the private key to decrypt

Section 2 of 7: Ensure you have the private key to decrypt

Section 2 of 7: Ensure you have the private key to decrypt

Also make sure that the keypair is available to decrypt to which the message was encrypted to.  If the email is not working automatically, you can use the Clipboard or Current Window features to decrypt manually to validate if the message decrypted. For more information on this, see the following article:
180267 - HOW TO: Encrypt/Decrypt Text Using the Current Window feature with Symantec Encryption Desktop (PGP Desktop) for Windows

If none of the above links have allowed PGP to decrypt, and you are sure no other security policies or applications are at play, proceed to the next steps:

 

Section 3 of 7: Applicable Outlook Security Policies

Section 3 of 7: Applicable Outlook Security Policies

Section 3 of 7: Applicable Outlook Security Policies

If the following Group Policies for Outlook are changed from the defaults, PGP Desktop cannot create and/or use the PST file that it needs.

Section 3-Item A ---  Prevent users from adding PSTs to Outlook profiles and/or prevent using Sharing-Exclusive PSTs

This policy is set to Not Configured by default. It can be set to:

  • (default) PSTs can be added (disablepst in the registry has a value of 0)
  • No new PSTs can be added (disablepst has a value of 1)
  • Only Sharing-Exclusive PSTs can be added (disablepst has a value of 2)

It affects the following registry key. Note that the Office version number will change according to the version of Office you are using:

  • Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook
  • Value name: disablepst
  • Value type: REG_DWORD
  • Valid values: 0, 1, 2

Recommendation: Set the "disablepst" value to "0" to allow pst files.  If this is enabled, automatic decryption may not be possible.

Section 3-Item B --- Prevent users from adding new content to existing PST files

This policy is set to Not Configured by default. It can be set to Disabled (pstdisablegrow in the registry has a value of 0) or Enabled (pstdisablegrow has a value of 1).

It affects the following registry key. Note that the Office version number will change according to the version of Office you are using:

  • Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst
  • Value name: pstdisablegrow
  • Value type: REG_DWORD
  • Valid values: 0, 1

Recommendation: Set the "pstdisablegrow" value to "0" to allow users to add new content to existing PST files.

Section 3-Item C --- Do not change Windows Group Policies

The simplest solution is to leave the above Windows Group Policies at their default values. 

In environments where GPO may block this, you may need to get an exception to allow these PST policies.

Important Note: Even if you are able to change these values in the registry because you are a local administrator on the machine, a GPO that enforces different settings will overwrite the changes you make to the registry settings.
Work with your security team to ensure you can allow these policies in order for the PGP Desktop client to decrypt emails properly. 

 

Section 3-Item D --- (Outlook setting)  Allow content to be added only to existing PSTs

This will prevent users adding new PST files to their Outlook profile but allow existing PST files to be used:

  1. Set the Group Policy Prevent users from adding new content to existing PST files to Not Configured or Disabled.
  2. Set the Group Policy Prevent users from adding PSTs to Outlook profiles and/or prevent using Sharing-Exclusive PSTs to Enabled or Only Sharing-Exclusive PSTs can be added.

 

Section 3-Item E --- (PGP Setting) Register Encryption Desktop as Trusted

If your organization has enabled both Windows Group Policies, this option registers Encryption Desktop as a process that is trusted to create PST files and therefore the Windows Group Policies will not apply to Encryption Desktop.

First add the following key to the registry. Note that the Office version number will change according to the version of Office you are using:

  • Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst
  • Value name: PSTDisableGrowAllowAuthenticodeOverrides
  • Value type: REG_DWORD
  • Value: 1

Then add a policy preference to the user's Encryption Management Server policy. To add the policy preference, login to the administration console and then:

  1. Click on Consumers / Consumer Policy.
  2. Click on the name of the policy you wish to edit.
  3. In the General section, click on the Edit button.
  4. Click on the Edit Preferences button.
  5. Set the following preference and then click the Save button:
  • Pref name: mailEnablePSTAuthentication
  • Type: Boolean
  • Value: true

Once the clients have downloaded the modified policy, the %LOCALAPPDATA%\PGP Corporation\PGP\Outlook_U.pst file will be created and users will be able to decrypt messages.


Section 4 of 7: Use IStorage instead of PST files

Section 4 of 7: Use IStorage instead of PST files

Section 4 of 7: Use IStorage instead of PST files

If your organization has enabled both Windows Group Policies, you can add a policy preference to the user's Symantec Encryption Management Server (PGP Server) policy which will cause Outlook to use IStorage instead of PSTs. However, there are a number of disadvantages to using IStorage:

  • It is relatively slow, especially for large and complex messages or ones containing many recipients. It may not be able to handle mails with complex OLE objects.
  • It cannot handle more than several hundred recipients.
  • It does not support unicode natively and has issues with some character sets.
  • It does not have built in synchronization between plain text and rich text (HTML, RTF). Therefore some searching will not work.

To add the policy preference, login to the administration console and then:

  1. Click on Consumers / Consumer Policy.
  2. Click on the name of the policy you wish to edit.
  3. In the General section, click on the Edit button.
  4. Click on the Edit Preferences button.
  5. Set the following preference and then click the Save button:
  • Pref name: mailDisablePSTCacheStore
  • Type: Boolean
  • Value: true

Once the clients have downloaded the modified policy they will be able to automatically decrypt PGP/MIME format messages in Outlook but note that they will still not be able to decrypt PGP-EML format messages.

 

 

Section 5 of 7: Information for Standalone PGP Desktop Clients

Section 5 of 7: Information for Standalone PGP Desktop Clients

Section 5 of 7: Information for Standalone PGP Desktop Clients

If you are using a PGP Desktop client that is not controlled by a PGP Server, then this section will apply, otherwise see the above sections for managed PGP Desktop clients.


We will be setting the values "mailEnablePSTAuthentication" and "mailDisablePSTCacheStore" to true in the PGPprefs.xml file with the following steps:

Step 1: You will need to kill the PGP services before you make these changes.  Click the PGP padlock icon by the time and then click "Exit PGP Services".

Also close Outlook so it is no longer running.

Step2: We set this value to true for both entries in the PGPPrefs.xml file.  To find this file, open Windows Explorer (Windows Key + e) and in the address bar, type the following:

"%appdata%


This will open a location similar to the following:

C:\Users\username-here\AppData\Roaming

Navigate to C:\Users\username-here\AppData\Roaming\PGP Corporation\PGP


Step 3: Right-click and edit the "PGPprefs.xml" file with Notepad++, or Wordpad.  Do not not notepad.exe to edit this file.


Step 4: Do a search for mailDisablePSTCacheStore and set the value underneath to "true" (instead of false) like this:

<key>mailDisablePSTCacheStore</key>
      <true></true>

You will find this value this twice in this file, so make sure you do both.

 

Step 5: Next, do a search for mailEnablePSTAuthentication and set the value to "true" (instead of false) like this:

  <key>mailEnablePSTAuthentication</key>
    <true></true>

Again, this is to be set for both sets.

 

After you have made these changes (4 locations in total in the PGPPrefs.xml file), save the file and close the PGPprefs.xml file.


Step 6: Open the Windows Registry.  You may want to make a backup of this before making the changes. 

Navigate to the following location:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst\
On the right side, double click on pstdisablegrow and change the value to "0" (may have been set to 1).


Step 7: In the same location (HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst\)
On the right side, double click on PSTDisableGrowAllowAuthenticodeOverrides and set the value data to 0 (It was set to 1).

Once you have made these changes, the policies should look like the following:

Once we did this, and re-launched Outlook, the decryption was working just fine.

Once you have made these changes, launch Outlook.  If you already had Outlook running, close and re-launch.

 

The emails should now be decrypting properly.  If not, there may be some other GPO settings that control the PSTs and you may need to work with your security team to allow for PST creation and growth.


Section 6 of 7: Email Encryption and Decryption with Gmail

Section 6 of 7: Email Encryption and Decryption with Gmail

Section 6 of 7: Email Encryption and Decryption with Gmail

If you are using a PGP Encryption Desktop with Gmail, see the following article:
191087 - How to configure PGP Desktop (Symantec Encryption Desktop) to automatically encrypt Gmail in Outlook

 

Section 7 of 7: Unable to decrypt with New Outlook missing PST files (VS Classic Outlook)

Section 7 of 7: Unable to decrypt with New Outlook missing PST files (VS Classic Outlook)

Section 7 of 7: Unable to decrypt with New Outlook missing PST files (VS Classic Outlook)

If you are using one of the newer versions of Outlook, you may have noticed the option to "Try the New Outlook" on the top-right corner:

If you have switched to this new Outlook, Microsoft does not currently allow PST.  As such, it is not possible to automatically decrypt emails with PGP Encryption Desktop.
To be able to decrypt again, simply turn New Outlook mode Off:

Turning off "New Outlook" should restore the decryption capabilities with PGP Encryption Desktop and allow you to use your PST files again.  Alternatively, PGP Viewer can be used to decrypt if needed.
Microsoft will be supporting PST files in the future (No ETA available at this time).  For further guidance, reach out to Symantec Encryption Support and check back at this KB for updates.
EPG-34586/EPG-34586

If you have tried all of the above, contact Symantec Encryption Support for further guidance. 

Additional Information