search cancel

Cannot decrypt PGP Zip files created with earlier releases of Encryption Desktop

book

Article ID: 173613

calendar_today

Updated On:

Products

Encryption Management Server Desktop Email Encryption Drive Encryption File Share Encryption

Issue/Introduction

Encryption Desktop 10.4.2 MP1 and above cannot decrypt PGP zip files that were created with Encryption Desktop 10.4.2 and below.

If you are experiencing issues decrypting emails automatically after upgrading to Symantec Encryption Desktop 10.4.2 MP1 or above, please see the following article: Unable to decrypt email after installing Encryption Desktop 10.4.2 MP1 or above.

If you double click on the *.pgp file from Windows File Explorer the error is:

The PGP Zip may be corrupt. (-10800)

If you right click on the *.pgp file from Windows File Explorer and use the Symantec Encryption Desktop context menu to Decrypt & Verify the error is:

An error has occurred: PGPError #-10800

This error may also appear:

Decryption blocked. The file that you are trying to decrypt is not secure because it is not encrypted using SEIP (Symmetrically Encrypted Integrity Protected) packets.

Cause

Encryption Desktop 10.5 and above protects against the EFAIL vulnerability. This change was introduced in release 10.4.2 MP1 and it causes decryption failures with PGP Zip files created with release 10.4.2 and below that used SE Packets for Encryption.

As part of these security features, Encryption Desktop will only decrypt PGPzip files if they include SEIP packets instead of SE packets. The SEIP Packets include an additional Integrity Protection feature, which mitigates the Efail vulnerability.

When encrypting with Encryption Desktop 10.5 and above, it will enforce the use of SEIP packets regardless of the key(s) used.

For Encryption Desktop versions below 10.4.2 MP1, there are two conditions in which files would have been encrypted using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability.

  1. The key(s) used to encrypt the files are an older version 3 keys. The current standard is to use version 4 keys.
  2. The key is version 4 key, but the preferred cipher is set to something other than AES, and it is missing a Modification Detection flag.

Again, these conditions do not affect files encrypted by Encryption Desktop 10.5 or above, which will use the more secure SEIP packets for PGPzip files.

Environment

Symantec Encryption Desktop and Symantec Encryption Management Server release 10.5 or above.

Resolution

Upgrade Encryption Desktop clients to release 10.5 or above and generate a new key. Distribute the new public key to third parties.

If an ADK (Additional Decryption Key) is being used, please replace it with a key generated with release 10.5 or above.

However, decrypting files encrypted with old keys will still cause difficulties. If this is an issue, you can add a policy preference that will bypass SE packet Integrity Protection and allow older keys to be used. Please contact support for details on how to enable older keys to be used.

Attachments