Symantec FileShare Encryption can encrypt to individual end user's keys. From time to time, one of the keys a file/folder is encrypted to may no longer be known for various reasons, such as the key no longer exists. When this occurs, it is only possible to remove one of these invalid keys at a time from within the user interface in order to complete the encryption/decryption routines needed. Also, if invalid keys exist in the user access list for FileShare, it is not possible to reencrypt or modify the folder before removing the invalid keys.
Upon trying to reencrypt a folder with pgpnetshare.exe which contains invalid keys, the following error can appear:
"Error: Could not resolve key [0x12345678] [-11984]"
Upon trying to reencrypt a folder with the Symantec FileShare Encryption UI, the following error appears:
"One or more user keys is unknown, is revoked, is expired, or is disabled".
These two errors mean there are keys no longer in the Symantec FileShare Encryption keyring, or on Symantec Encryption Management Server, and therefore, cannot be resolved in order to complete the FileShare operation. This is a known issue that is currently being reviewed.
This issue is fixed in the following release:
Please upgrade to the latest available release in order to take advantage of this and other enhancements and improvements.
Workaround
A workaround to this is to remove the keys via the command line using the Symantec FileShare encryption executable, pgpnetshare.exe.
In order to remove the unknown key, find the keyid associated to the key by doing the following:
Alternatively, if there is a high turnover of user keys for particular FileShare files and folder, Group Keys is a better alternative, as reencryption is not necessary. For more information on group keys, please see the FAQ article HOWTO61299.
Applies To
Symantec FileShare Encryption being managed by Symantec Encryption Management Server.