Video Screencast Help

Missing 'Key Flags' of generated keys

Created: 12 Dec 2012 • Updated: 13 Dec 2012 | 3 comments


i have a question regarding the keys generated by PGP Desktop and would appreciate some insight.

I generated a keypair and encrypted a file using PGP Desktop (10.2.1 MP5). When I look at the key usage in PGP Desktop (KeyProperties\Usage) all fields are checked (PGP NetShare, PGP Zip, PGP WDE, PGP Messaging).

Now for the decryption i am using a different tool which checks the key flags to verify that a key was meant for encryption. Now this tool states that the key was not meant for encryption and aborts. When i check the key (via - the following key flags for the key are set:

Hashed Sub: key flags(sub 27)(4 bytes) Flag:

  • This key may be used to certify other keys Flag (1)
  • This key may be used to sign data (2)

The number in brackets are the flags defined in RFC4880. The Tool i use however checks the encryption flags (4 and 8) which are not obviously not set (and aborts).

So now how do I get a key from PGP Desktop with the correct key flags set? Or is that a bug?

Thanks, TeeWeTee


All keys defined in RFC4880:

0x01 This key may be used to certify other keys.
0x02 This key may be used to sign data.
0x04 This key may be used to encrypt communications.
0x08 This key may be used to encrypt storage.
0x10 The private component of this key may have been split by a secret-sharing mechanism.
0x20 This key may be used for authentication.
0x80 The private component of this key may be in the possession of more than one person.


Comments 3 CommentsJump to latest comment

TeeWeTee's picture

If my first post was too long, then here the short version:

The keys generated with PGP Desktop seem to have invalid usage flags set. Can anyone explain this?




PGP_Ben's picture

is this a managed desktop client installation? If so, you need to make sure that he features that youare trying to enable encryption for are turned on via consumer policy on your server.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

dfinkelstein's picture


I think you are looking at the top key, which is used to certify other keys (and sign data, unless you have a separate signing subkey), and not your encryption subkey.

Note that all the "product usage" information is actually carried in a notation packet and is only understood by Symantec software, since OpenPGP does not not have such "product usage" distinctions.  PGP Desktop should be setting your key flags appropriately.

If you think you have a specific issue, please post a copy of your public key and I will take a look at it.




David Finkelstein

Symantec R&D