One or more keys cannot be used for encryption. (Applies to all keys included the ADK)


Article ID: 156934


Updated On:


Symantec Products


When I try to encrypt a file I receive an error "One or more keys cannot be used for encryption" and the encryption aborts.


Each subkey can have its own key usage properties. For example, one subkey could be used for PGP WDE only, and another could be used for all other PGP Desktop functions.

An example of why you would want to set the key usage of a key, is when you want to use a key for disk encryption only but you do not want to receive encrypted email. If you distribute your public key that does not allow for PGP Messaging, then email sent by another user would not be encrypted to your public key. The same applies for example for PGP NetShare. If you try to encrypt a folder using PGP NetShare and your key does not contain the NetShare usage flag, you will not be able to encrypt the folder and receive the error mentioned above.

The same issue can occur with the ADK. If you add an ADK to the Universal Server and the ADK does not have key usage flags for PGP NetShare then you will not be able to encrypt the files and receive the error mentioned above.


For PGP Desktop in a standalone environment:

To specify key usage:

1. Open PGP Desktop, click the PGP Keys control box, then click All Keys. All keys on your Keyring appear.

2. View the properties of a key by doing one of the following:
  • Double-clicking the key you want to view.
  • Right-clicking on the key, then selecting Key Properties from the shortcut menu. 
  • Clicking to select the key in the Keyring, then selecting Keys > Key Properties.
The Key Properties dialog box for the key you selected is displayed.
3. Click the Subkeys heading in the Key Properties dialog box. The Subkeys for this key are displayed.
4. To view the properties of a subkey, right-click the subkey you want to view and select Subkey Properties from the shortcut menu.
5. Under the Key Usage section, select the PGP Desktop functions for which this key can be used. A check next to the item indicates the key can be used for that function.
6. Click Close to save the subkey properties.

 For PGP Desktop in a Universal Server managed environment:

In a PGP Universal Server managed environment the key usage flags are added during the enrollment, depending on what features are enabled in the Consumer Policy.

As an example let's say you have now decided to use PGP for encrypting emails, but the subkey does not have the Messaging Flag. In this case you will first have to enable the Messaging feature in the consumer policy. Please refer to the following KB article on how to enable Messaging in the Consumer Policy.

Please note that the key usage flag will not be automatically added to the key. You will need to perform an action that requires a passphrase entry. For example, encrypt and decrypt a file to/with your own key or change the passphrase. Once this has been done the key usage flag will be added to the key. After the keyflag is added the key has to be synchronized to the server in order to allow other users to encrypt mails to this key. This is done automatically during the next policy update or when you manually select "Update Policy" from the PGP Tray icon context menu.


Note: If you are in a PGP Universal Server managed environment and your key mode is SKM, you cannot make changes to the key usage flags.