Video Screencast Help

Modifying "Key Usage" flags on existing ADKs in a Universal Server environment

Created: 25 Feb 2013

Is there a straightforward way to modify the "Key Usage" flags of an existing ADK?

Backstory:

My organization created its ADKs when we first deployed our Universal Server. At the time we were only licensed for PGP Whole Disk Encryption, and no other client applications. Later on we added NetShare support in our environment, as well.

Given that our license only allowed WDE when we created our ADKs, the NetShare key usage flags were not enabled on these ADKs, not did those flags "turn on" when the license for NetShare was applied. This wasn't an issue until PGP Desktop 10.2.0 MP5 (Build 2599) was released. The release notes mention the following fix:

Resolved an issue so that a user can no longer use PGP NetShare to protect a folder if an ADK does not include the PGP NetShare usage flag. [2716244]

When we contacted Symantec support we were told that prior to this release PGP NetShare would allow the encryption of files if the user's key was enabled for NetShare, but it would silently fail to encrypt the files with the ADKs where the NetShare key usage flag was not present. (The other support tickets we opened about not being able to decrypt files with ADKs started to make sense at this point). We never knew this was an issue because PGP NetShare was silently failing to provide promised functionality.

First Symantec support asked, and we declined, to send them our ADKs and their associated passwords. Instead, this was the procedure I was given to fix the key usage flag:

1.     Open the .asc keypair in Notepad, copy ONLY the private key part. Open a standalone version of PGP Desktop, make sure that the key is not yet in the keyring, then paste the private key part into PGP Desktop.

2.     When looking at the key you will notice that the self-signature is missing. To fix this, create a new temporary UserID, delete the old UserID, then add the old UserID again, then delete the temporary UserID.

3.     Now export the keypair from PGP Desktop or use PGP commandline on the same machine to continue adding the usage flags.

4.     With PGP commandline run the following commands:

        pgp --list-key-details "[keyName]"
        to identify the keyID and the keyID of the encryption subkey
        pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag encrypt [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --key-flag sign [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --key-flag product-netshare [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --key-flag product-zip [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --key-flag product-messaging [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --key-flag product-wde [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-netshare [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-zip [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-messaging [--passphrase passphrase-for-key]
        pgp --set-key-flag [keyID] --subkey [encryption subkey ID] --key-flag product-wde [--passphrase passphrase-for-key]
        pgp --set-preferred-ciphers [keyID] --aes256 1 --cast5 2 --3des 3 --twofish 4 --aes128 5 --aes192 6 [--passphrase passphrase-for-key]
        pgp --set-preferred-hashes [keyID] --sha256 1 --sha384 2 --sha512 3 [--passphrase passphrase-for-key]
        pgp --set-preferred-compression-algorithms [keyID] --zlib 1 --bzip2 2 --zip 3 [--passphrase passphrase-for-key]

    Now you can export the modified key.
    pgp --export-key-pair [keyID] --overwrite-remove

Is this really the best way to accomplish this? Will this actually fix the issue? Is it really a feasible solution to ask me to install a trial version of PGP Command Line in an attempt to recover from an undocumented "gotcha"?

I've read in the ADK Guidelines document, and it doesn't mention futuring-proofing one's ADKs by enabling all the features. Other documents ( like http://www.symantec.com/docs/HOWTO41980 and http://www.symantec.com/docs/TECH149696 ) advise against modying ADKs and basically state that once you've set an ADK it's done and it can't be modified without pain.

Is there anything else I can try?

Operating Systems: