search cancel

Unable to decrypt email after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

book

Article ID: 173550

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server Drive Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

After upgrading to Encryption Desktop version 10.4.2 HF1 or above, you are unable to decrypt emails automatically. The PGP Viewer can successfully decrypt the email content. The issue occurs when the email was encrypted with a release of Encryption Desktop below 10.4.2 HF1 but is being decrypted by 10.4.2 HF1 or above.

NOTE: If you are experiencing issues decrypting PGP Zip files or other encrypted files after upgrading to Encryption Desktop 10.4.2 HF1 or above, please see article 173613.

Entries like this appear in the Encryption Desktop log file:

MAPI Proxy: Decryption failed with error: PGPError #-12562

Environment

  • Symantec Encryption Desktop 10.4.2 HF1 and above.
  • Symantec Encryption Management Server 3.4.2 HF1 and above.

Cause

Encryption Desktop version 10.4.2 HF1 introduced mitigations for the Efail vulnerability. Efail can affect both PGP encryption and S/MIME encryption.

In version 10.4.2 HF1 and above, PGP Desktop decrypts email that are encrypted using the SEIP (Symmetric Encryption Integrity Protection) packets, not just SE (Symmetric Encryption 10.4.2 GA and older) packets. The Integrity Protection feature mitigates the Efail report.

When encrypting an email with versions 10.4.2 HF1 and above, PGP Desktop will enforce the use of SEIP (Version 4 keys) packets regardless of the key(s) used to encrypt the email.

For PGP Desktop versions 10.4.2 GA and older, there are two conditions in which emails could be sent using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability:

  1. The email message is encrypted with version 3 key(s). The current standard is to use version 4 keys.
  2. The email message is encrypted with version 4 key(s) but the preferred cipher is set to something other than AES and it is missing a Modification Detection flag.

These conditions do not affect emails encrypted by Encryption Desktop 10.4.2 HF1 or above as long as the keys were generated as Version 4 keys.

Resolution

The best solution is to upgrade your PGP Desktop client to the latest release of the software and generate a new key and then distribute this new public key to your third parties.  Ensure your recipients are running the latest versions to support these Version 4 keys as well.


If an Additional Decryption Key (ADK) is being used, it is recommended to replace it with a key generated with release 10.5 or above.  For information on ADK Generation Guidelines, see the following article:

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server

 

Decrypting older email messages

The steps above will not allow email messages sent or received before upgrading to be decrypted automatically. These messages can be decrypted with PGP Viewer. Note, however, that PGP Viewer does not work correctly with some versions of Outlook.

 

If you have old content that you still need to decrypt, and are unable to do so after upgrading to PGP Desktop 10.4.2 HF1 or above, reach out to Symantec Encryption Support for further guidance. 

Additional Information

153934 - Encryption Desktop does not automatically decrypt messages in Outlook (Outlook PST Growth Disabled)

150870 - EFAIL Report and Symantec Email Encryption products

173550 - Unable to decrypt email after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

173613 - Unable to decrypt PGP Zip files after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above