Desktop Email Encryption

 View Only
Expand all | Collapse all

Exporting private key from Symantec Encryption Desktop

  • 1.  Exporting private key from Symantec Encryption Desktop

    Posted Apr 08, 2014 04:43 PM

    Please excuse the interruption. I'm experiencing some challenges in attempting to export a private key from Symantec Encryption Desktop. Apologies in advance for any errors in my misunderstanding of how keys work - while I'm familiar with the basic concepts, I don't pretend to fully understand all of the workings of public and private keys.

    In any event, what I've done is to import a certificate (ending with .pfx) I obtained from startssl.com for use with e-mail. The original intent was to use it within Outlook and for that it works just fine. I then discovered that I could import the certificate into SED and use it there instead of a separate PGP key pair generated, which held a bit of appeal to me since it would eliminate the need for the separate PGP key pair. So I went ahead and imported it and did a few test e-mails. Everything went fine, so I retired my other PGP key pair (but kept it of course to read old e-mails). 

    Anyway, I'll readily admit that I'm not quite sure exactly what SED does when it imports the cert. It looks and behaves just like any other PGP key, and I can see it show up both under "All Keys" and "My Private Keys". I can also export the public key. However, I cannot seem to export the private key. When I try to do so, the option to "Include Private Key(s)" is grayed out. 

    In case you're wondering why I'm trying to do this, I am also attempting to set up an encrypted mail client on my mobile phone. I imported the original certificate into that client, but for some reason, can't decrypt e-mail that has been sent to me using the public key generated within SED from the imported certificate. I suspect that SED has done something in order to "convert" the certificate into an equivalent PGP key pair, if that makes any sense, so am attempting to export that key pair to import into the encryption software on my phone, assuming that makes any sense.

    In any event, I'd just like to figure out how to export the private key. If you have any thoughts or suggestions do let me know.

    Thanks,

    David



  • 2.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Apr 08, 2014 04:48 PM

    Also - I did try to search around the forums - closest thing I found was this - https://www-secure.symantec.com/connect/forums/exporting-pgp-private-key-was-cert. But unfortunately no apparent solution.



  • 3.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Apr 09, 2014 12:13 AM

    Post import of certificate file (.pfx) to SED,

    Make sure that tested emails were actually encrypting to the new certificate ?

    also were you able to enrypt and decrypt any test files using PGP zip with only new certificate ?

    There could be a possibility that certificate file (.pfx) has only imported the public key into SED, you need to  check if private key is also included in that file (.pfx ).

     



  • 4.  RE: Exporting private key from Symantec Encryption Desktop

    Broadcom Employee
    Posted Apr 09, 2014 07:34 AM

    Hi David,

    I guess you used the File > Import Certificate option in the SED, is this correct?
    In that case you will also need to import the .pfx into the phone certificate store.

     

    Rgs,
    dcats



  • 5.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Apr 09, 2014 11:36 AM

    Thanks very much to both of you. Just to respond to your questions:

    - Yes, e-mails were encrypted to the certificate. To make sure this was the case, I had deleted the old PGP key out of SED altogether (after backing it up) and confirmed I could still read encrypted e-mails that were sent to me.

    - I have not attempted to use PGP Zip as I don't use that functionality. However, I have just tried it and it seems to work just fine, encrypting and decrypting, using the certificate and not the old PGP keypair. It shows the Key ID associated with the cert

    - I am quite certain that I have imported the private key from the pfx file. When I click on "My Private Keys", it appears there. In addition, I can decrypt, on SED, messages that have been encrypted using the public key associated with the cert, which presumably would not be possible if I had not imported the private key. 

    - Yes, I used the File, Import Certificate option in SED. The certificate was already imported into the Windows Personal Certificates store.

    - I have already imported the pfx into the e-mail encryption app on my phone. I have not imported the pfx into the phone certificate store. Interestingly, while I can send an encrypted e-mail using my phone, which I can then read on Outlook using SED, I can't read an encrypted e-mail on my phone which is sent from Outlook using SED.



  • 6.  RE: Exporting private key from Symantec Encryption Desktop

    Broadcom Employee
    Posted Apr 09, 2014 11:40 AM

    Hi David,

    You can send the encrypted email because you only need access to the public key to encrypt. (To sign the message you need the private part).
    If you will attempt to sign it should fail.

    To decrypt you need the private portion of the key (which is in the machine where you run Outlook), while to confirm a signature you need access to the public part.


    Rgs,
    dcats



  • 7.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Apr 09, 2014 11:45 AM

    Also - if this is of any help, everything works just fine with PGP - with my old PGP keypair, I was able to export my private key, import it on my phone, and send and receive e-mail seamlessly. I can't seem to do that with the cert though and can't seem to export the private key for the cert from SED.



  • 8.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Apr 09, 2014 11:59 AM

    Thanks dcats. Were you referring to the last bullet? Just to clarify, I went through that exercise to test compability between the phone and SED. So for both e-mails originating in either, I signed and encrypted. Sending a sign, encrypted message from the phone and attempting to read in Outlook using SED works just fine. SED decrypts and verifies the signature. However, sending from Outlook using SED (encrypted and signed) does not work - I can't read the message on my phone. The same also applies to any other e-mail sent to me using the public key I exported from SED related to the certificate - fine on SED; not fine on the phone. This is why I'm trying to find a way to export a private key from SED to import onto my phone - the only thing I can think of is that SED somehow processes the cert or creates a different private key, which would be needed on other devices (like my phone). 



  • 9.  RE: Exporting private key from Symantec Encryption Desktop

    Broadcom Employee
    Posted Apr 10, 2014 04:40 AM

    Hi David,

    Then your issue is probably not related with the key, but with the encoding.

    Please have a look at this article:
    Compatibility Between Different Mobile Encryption Clients and Encryption Formats - TECH203927.
     


    Rgs,
    dcats

     



  • 10.  RE: Exporting private key from Symantec Encryption Desktop

    Posted Sep 10, 2014 08:02 PM

    In the unlikely event someone finds themselves in the same position, here is the solution I finally figured out through trial and error: 

    1. Don't bother trying to export SED private keys associated with certificates - it just doesn't work for some reason.
    2. Find your secring.skr folder. It's usually in /Documents/PGP/. Move it onto your Android phone.
    3. Download APG. Import secring.skr into APG. It should tell you that you have imported a private/secret key.
    4. In APG, click on the upper left corner where it says APG and select Contacts. It should display your private keys under "My Keys".
    5. Click on Menu. One of the options should be "Export all secret keys". Export into whatever directory you want. The exported file will be a plaintext version of your PGP key.
    6. Import the exported file into the app of your choice. In my case I was able to import into R2Mail and use it.

    In case you're wondering:

    • While APG is great, I wanted an encryption solution that was better integrated with e-mail. Since I can't use K-9 with my office's Exchange server, can't use the nice APG - K-9 integration. An inability to copy and paste from the standard Android e-mail client also made using APG very inconvenient
    • The secring.skr can't be imported directly into some applications - notably, in my case, R2Mail couldn't import the file, hence the need to to first import to APG, then export out in plaintext
    • I still have no idea at all why I couldn't simply export directly from SED when I was able to do the above. This suggests (IMHO) that it wasn't an encoding error but rather an issue (bug?) in SED.
    • Just to confirm, everything works just fine in R2Mail. I can successfully send and receive encrypted e-mail using public and private keys.