search cancel

Unable to decrypt PGP Zip files after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

book

Article ID: 173613

calendar_today

Updated On:

Products

Encryption Management Server Desktop Email Encryption Drive Encryption File Share Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Endpoint Encryption Gateway Email Encryption

Issue/Introduction

PGP Desktop 10.4.2 HF1 and above cannot decrypt PGP zip files that were created with Encryption Desktop 10.4.2 and below.

If you are experiencing issues decrypting emails automatically after upgrading to Symantec Encryption Desktop 10.4.2 HF1 or above, please see the following article: Unable to decrypt email after installing Encryption Desktop 10.4.2 HF1 or above.

If you double click on the *.pgp file from Windows File Explorer the error is:

The PGP Zip may be corrupt. (-10800)

If you right click on the *.pgp file from Windows File Explorer and use the Symantec Encryption Desktop context menu to Decrypt & Verify the error is:

An error has occurred: PGPError #-10800

This error may also appear:

Decryption blocked. The file that you are trying to decrypt is not secure because it is not encrypted using SEIP (Symmetrically Encrypted Integrity Protected) packets.

Environment

Symantec Encryption Desktop and Symantec Encryption Management Server release 10.5 or above.

Cause

Encryption Desktop 10.5 and above protects against the EFAIL report by default. This change was introduced in release 10.4.2 HF1 and it prevents decryption of PGP Zip files if the PGP Keys were created before 10.4.2 HF1.  If you have upgraded to 10.4.2 HF1 or above, this functionality will be engaged as it has SE Packets detection, which was an older method of encryption with these keys.

As part of these security features, PGP Desktop will decrypt PGPzip files if they include SEIP packets (newer method) instead of SE packets (Older method). The SEIP Packets include an additional Integrity Protection feature, which mitigates the Efail report.

For PGP Desktop versions below 10.4.2 HF1, there are two conditions in which files would have been encrypted using the SE packets instead of the more secure/modern SEIP packets:

  1. The key(s) used to encrypt the files are an older version 3 keys (Keys created with PGP Desktop 10.4.2 GA or older). The current standard is to use version 4 keys (Keys created with PGP Desktop 10.4.2 HF1 or above).
  2. The key is version 4 key, but the preferred cipher is set to something other than AES, and it is missing a Modification Detection flag.

 

Resolution

The best solution is to upgrade your PGP Desktop client to the latest release of the software and generate a new key and then distribute this new public key to your third parties.  Ensure your recipients are running the latest versions to support these Version 4 keys as well.


If an Additional Decryption Key (ADK) is being used, it is recommended to replace it with a key generated with release 10.5 or above.  For information on ADK Generation Guidelines, see the following article:

153511 - Additional Decryption Key (ADK) Guidelines for Symantec Encryption Management Server


If you have old content that you still need to decrypt, and are unable to do so after upgrading to PGP Desktop 10.4.2 HF1 or above, reach out to Symantec Encryption Support for further guidance. 

Additional Information

153934 - Encryption Desktop does not automatically decrypt messages in Outlook (Outlook PST Growth Disabled)

150870 - EFAIL Report and Symantec Email Encryption products

173550 - Unable to decrypt email after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

173613 - Unable to decrypt PGP Zip files after installing Encryption Desktop (PGP Desktop) 10.4.2 HF1 or above

Attachments