search cancel

PGP Command Line receives the error "invalid key" when trying to encrypt to a PGP key

book

Article ID: 164074

calendar_today

Updated On:

Products

PGP Command Line

Issue/Introduction

When attempting to encrypt a file or add a user ID to a key with PGP Command Line, you receive the error "invalid key".

Cause

This error appears if the key is not Signed and Verified. To check the status of the key run the following command:

This command displays the details of the key similar to the following: 

pgp --list-keys --verbose

Key Details: Company

Key ID: 0x348G4562

Type: RSA (v4) public
Size: 1024

--> Validity: Invalid <--

Trust: Never
Created: 2011-04-05
Expires: Never
Status: Active
Cipher: AES-128
Cipher: AES-192

Resolution

This is resolved by signing the PGP key.

To sign the key run the following command:

pgp --sign-key <user> --signer <signer> --sig-type <type> --passphrase <pass>
 

As signature type use for example "exportable"

PGP Command Line supports several signature types:

Local means the signature is non-exportable, which means it cannot be sent with the key to a keyserver or exported in any way. Use this signature when you believe the key is valid, but do not want others to rely on your opinion of the key.

Exportable means the signature is exportable. The signature can be sent with the key to a keyserver or exported with the key. Use this signature when you believe the key is valid and you want others to be able to rely on your opinion of the key. They are not obligated to rely on your opinion, however.

Meta-introducer means this is a non-exportable meta-introducer and that this key and any keys signed by this key with a trusted introducer validity assertion are fully trusted introducers to you. This signature type is not exportable.

Trusted-introducer means that you certify that this key is valid and that the owner of the key should be completely trusted to vouch for other keys. This signature type is exportable.

Trust-depth for meta-introducers and trusted introducers allows you to specify how many levels of trust your signature applies to. The default for meta introducer is 2, the default for trusted introducers is 1. The maximum depth for both is 8.

Regular-expression lets you establish a domain restriction for trusted introducers. This limits the trusted introducer’s certificate validation capabilities to the domain you enter. For example, example.com.

 

Set the trust level:

To set the trust level use the following command:

pgp --set-trust <user> --trust <trust> As <trust> use for example "marginal"


Trust options:

Never (the key is never trusted),

Marginal (the key is marginally trusted),

Complete (the key is fully trusted),

Implicit (the key has ultimate trust).
 

Example:
pgp --set-trust key --trust complete

 

The above command sets the trust to complete for the key in question, which is the highest level of trust outside of having an actual keypair.

Bypassing the key invalid error code: If signing the key on the local keyring is not possible, such as when using PGP Command Line with USP and Symantec Encryption Management Server, using the --always-trust option in the command will bypass this error, and allow the command to return without the "key invalid" error code without actually having to sign the key.

Example:

pgp --always-trust --encrypt file-to-encrypt.txt --recipient 0x1234ABCD --output encrypted-file.pgp

CAUTION: Always take special care when encrypting to keys.  Symantec Corporation always recommends taking proper steps to validate the key being used for encryption, is a legitimate AND trusted key.

TIP: To validate you have the valid key:

  • Call the recipient on the phone, and have them read to you the Key ID and ensure it matches.
  • Call the recipient on the phone, and have them read to you the biometric fingerprint on the key.
  • Check the signature on the key to be used for encryption, do any other signatures exist on the key that you trust?  If you trust other signatures on this key, this provides a level of validation that this key is valid, however, you are relying on the efforts of the signer, and that they actually validated the key.

 

For more information please refer to the Symantec PGP Command Line Users Guide.