After upgrading to PGP Encryption Desktop version 10.4.2 HF1 or above, you are unable to decrypt emails automatically. The PGP Viewer can successfully decrypt the email content. The issue occurs when the email was encrypted with a release of PGP Encryption Desktop below 10.4.2 HF1 but is being decrypted by 10.4.2 HF1 or above.
NOTE: If you are experiencing issues decrypting PGP Zip files or other encrypted files after upgrading to Encryption Desktop 10.4.2 HF1 or above, please see article 173613.
Entries like this appear in the PGP Encryption Desktop log file:
MAPI Proxy: Decryption failed with error: PGPError #-12562
In version 10.4.2 HF1 and above, PGP Desktop decrypts email that are encrypted using the SEIP (Symmetric Encryption Integrity Protection) packets, not just SE (Symmetric Encryption 10.4.2 GA and older) packets. The Integrity Protection feature mitigates the Efail report.
When encrypting an email with versions 10.4.2 HF1 and above, PGP Desktop will enforce the use of SEIP (Version 4 keys) packets regardless of the key(s) used to encrypt the email.
For PGP Desktop versions 10.4.2 GA and older, there are two conditions in which emails could be sent using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability:
These conditions do not affect emails encrypted by Encryption Desktop 10.4.2 HF1 or above as long as the keys were generated as Version 4 keys.
The best solution is to upgrade your PGP Encryption Desktop client to the latest release of the software and generate a new key and then distribute this new public key to your third parties. Ensure your recipients are running the latest versions to support these Version 4 keys as well.
If an Additional Decryption Key (ADK) is being used, it is recommended to replace it with a key generated with release 10.5 or above. For information on ADK Generation Guidelines, see the following article:
153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server
The steps above will not allow email messages sent or received before upgrading to be decrypted automatically. These messages can be decrypted with PGP Viewer. Note, however, that PGP Viewer does not work correctly with some versions of Outlook.
If you have old content that you still need to decrypt, and are unable to do so after upgrading to PGP Desktop 10.4.2 HF1 or above, reach out to Symantec Encryption Support for further guidance.