PGP Command Line receives the error "invalid key" when trying to encrypt to a PGP key
search cancel

PGP Command Line receives the error "invalid key" when trying to encrypt to a PGP key

book

Article ID: 164074

calendar_today

Updated On:

Products

PGP Command Line

Issue/Introduction

When attempting to encrypt a file or add a user ID to a key with PGP Command Line, you receive the error "invalid key".

Cause

This error appears if the key is not Signed, or the steps have not yet been taken to "validate" this key is a legitimate key and one that should be used for encryption.

To validate the key is legitimate, you can call the person on the phone and ask what their Key ID is.  They will read you the Key ID, and if it matches, you can "Sign" the key to "validate" or "Verify" the key is legitimate and is one that should be used to encrypt sensitive data.   Without going through these steps, the PGP Command Line will still encrypt, but it will warn you that you just encrypted a file to an "Invalid Key", and makes you question whether you should have done that or not.

 

Resolution

This command displays the details of the key similar to the following: 

pgp --list-keys

When this command is run, you will see all the keys that are listed.  In this example, you will see two keys, "Bob" and "Sue".
Looking closer at the key, you can tell that for Bob's key, you have a "Keypair" or is a private key, and for Sue's key we have a "Public" key.

"pair" denotes a Keypair or private key.  And "pub" denotes only a public portion of the key.

 

Also note in the output, there is a "VI" under the "Flags" column.  The Flags column is something that is important when it comes to PGP Command Line.  It tells you about the key and if it is trusted or not.  You'll notice that Sue has no flags under this key. 

So using the Sue's public key, lets try to encrypt a file called "filetoencrypt.txt":

You can see that we got the "key invalid" error message.  This is because Sue's key has not been signed.  

You'll also see that PGP Command Line encrypted the file anyway "0: output file filetoencrypt.txt.pgp"

If we do a listing of the contents of this directory, you'll even see the file did actually get created:

You can continue encrypting to invalid keys, or if you have taken the proper steps and know the key you are encrypting to to be legitimate, you can sign the key.

To sign the key run the following command:

pgp --sign-key <user> --signer <signer> --sig-type <type> --passphrase <pass>
 

As you can see, we signed with Bob's key by entering Bob's passphrase.  The passphrase is required so that  Bob must prove ownership and authority with the key.

Now do a listing of the keys again to see if the "Flags" column got updated:

As you can see there is now a "V" next to Sue's key, meaning "Verified".  This means that somebody has gone through the proper steps to validate this key is legitimate and also signed the key.

Now that we have signed the key, we can try to encrypt the file again (in this example we'll first delete the "filetoencrypt.txt.pgp" so we don't get a different error that the file already exists):

 

PGP Command Line assumes all the expert background information is known so these commands make more sense.  To the untrained eye, an "Invalid" key seems like there is something wrong with the key.  The only thing that was "wrong" with the key, is the PGP Command Line program did not know if it was valid or should be used.

If you are using PGP Desktop, and you are signing a key, a little more information would be provided to give further context of this issue:

There is a lot of good information to be seen on this, so take note.

 

The rest of this article will provide more details on this. 

 

As signature type use for example "exportable"

PGP Command Line supports several signature types:

Local means the signature is non-exportable, which means it cannot be sent with the key to a keyserver or exported in any way. Use this signature when you believe the key is valid, but do not want others to rely on your opinion of the key.

Exportable means the signature is exportable. The signature can be sent with the key to a keyserver or exported with the key. Use this signature when you believe the key is valid and you want others to be able to rely on your opinion of the key. They are not obligated to rely on your opinion, however.

Meta-introducer means this is a non-exportable meta-introducer and that this key and any keys signed by this key with a trusted introducer validity assertion are fully trusted introducers to you. This signature type is not exportable.

Trusted-introducer means that you certify that this key is valid and that the owner of the key should be completely trusted to vouch for other keys. This signature type is exportable.

Trust-depth for meta-introducers and trusted introducers allows you to specify how many levels of trust your signature applies to. The default for meta introducer is 2, the default for trusted introducers is 1. The maximum depth for both is 8.

Regular-expression lets you establish a domain restriction for trusted introducers. This limits the trusted introducer’s certificate validation capabilities to the domain you enter. For example, example.com.

 

Set the trust level:

To set the trust level use the following command:

pgp --set-trust <user> --trust <trust> As <trust> use for example "marginal"


Trust options:

Never (the key is never trusted),

Marginal (the key is marginally trusted),

Complete (the key is fully trusted),

Implicit (the key has ultimate trust).
 

Example:
pgp --set-trust key --trust complete

 

The above command sets the trust to complete for the key in question, which is the highest level of trust outside of having an actual keypair.

Bypassing the key invalid error code: If signing the key on the local keyring is not possible, such as when using PGP Command Line with USP and Symantec Encryption Management Server, using the --always-trust option in the command will bypass this error, and allow the command to return without the "key invalid" error code without actually having to sign the key.

Example:

pgp --always-trust --encrypt file-to-encrypt.txt --recipient 0x1234ABCD --output encrypted-file.pgp

CAUTION: Always take special care when encrypting to keys.  Symantec Corporation always recommends taking proper steps to validate the key being used for encryption, is a legitimate AND trusted key.

TIP: To validate you have the valid key:

  • Call the recipient on the phone, and have them read to you the Key ID and ensure it matches.
  • Call the recipient on the phone, and have them read to you the biometric fingerprint on the key.
  • Check the signature on the key to be used for encryption, do any other signatures exist on the key that you trust?  If you trust other signatures on this key, this provides a level of validation that this key is valid, however, you are relying on the efforts of the signer, and that they actually validated the key.

 

For more information please refer to the Symantec PGP Command Line Users Guide.