Unable to remove Unknown keys from Symantec FileShare Files or Folders

book

Article ID: 159126

calendar_today

Updated On:

Products

File Share Encryption Powered by PGP Technology

Issue/Introduction

Symantec FileShare Encryption can encrypt to individual end user's keys.  From time to time, one of the keys a file/folder is encrypted to may no longer be known for various reasons, such as the key no longer exists.  When this occurs, it is only possible to remove one of these invalid keys at a time from within the user interface in order to complete the encryption/decryption routines needed.  Also, if invalid keys exist in the user access list for FileShare, it is not possible to reencrypt or modify the folder before removing the invalid keys.

 

Upon trying to reencrypt a folder with pgpnetshare.exe which contains invalid keys, the following error can appear:

"Error: Could not resolve key [0x12345678] [-11984]"

 

Upon trying to reencrypt a folder with the Symantec FileShare Encryption UI, the following error appears:

"One or more user keys is unknown, is revoked, is expired, or is disabled".

 

 

Cause

These two errors mean there are keys no longer in the Symantec FileShare Encryption keyring, or on Symantec Encryption Management Server, and therefore, cannot be resolved in order to complete the FileShare operation. This is a known issue that is currently being reviewed.

 

Resolution

This issue is fixed in the following release:

  • Symantec Encryption Desktop 10.3.2 MP9
     

Please upgrade to the latest available release in order to take advantage of this and other enhancements and improvements.

 

Workaround

A workaround to this is to remove the keys via the command line using the Symantec FileShare encryption executable, pgpnetshare.exe.

In order to remove the unknown key, find the keyid associated to the key by doing the following:

  1. Right-click the affected file/folder, go to properties, and click on the "Symantec FileShare" tab.  Make note of the keyid values (0x12345678).
  2. Run the following command:

    pgpnetshare.exe --list [file\folder location]
     
  3. This command will list all the keys in question and should provide more details as to which key is unknown, as the Symantec FileShare Encryption user interface simply lists keyids and that the key is unknown.  If possible, locate the key and import into the keyring of Symantec FileShare Encryption.  If not, it is necessary to remove the keys manually via a reencryption routine.
  4. If the keyid for the invalid key is 0x12345678, then reencrypt the folder, specifying only the valid keys that need to be encrypted to (omitting the invalid keys in the command).
  5. The following command will encrypt the folder to only keyid values: 0x1234ABCD, 0xABCDABCD, and 0x43214321, with the signing key being 0x1234ABCD and all of the rest of the keys not specified as recipients will not be encrypted.  If there is only one invalid key, it is possible to remove the key via the Symantec FileShare Encryption user interface when going through the reencryption process:

    pgpnetshare --reencrypt [file/folder path] --recipient 0x1234ABCD --recipient 0xABCDABCD --recipient 0x43214321 --signer 0x1234ABCD --passphrase [pasphrase-here]
     
  6.  

Alternatively, if there is a high turnover of user keys for particular FileShare files and folder, Group Keys is a better alternative, as reencryption is not necessary.  For more information on group keys, please see the FAQ article HOWTO61299.

Applies To

Symantec FileShare Encryption being managed by Symantec Encryption Management Server.