Endpoint Encryption

Hi expert,

I'm desperate for a solution for this mystery.

Background:-

1)Server Windows Server 2003 R2

2)PGP CL Ver 10.2

3)We trying trigger a decryption of file using .bat file. The .bat file consist PGP command line and it is was triggered using a 3rd party schduler known as IBM Sterling Connect Direct. An user ID ABC is used to trigger the .bat file. This user ID only have local User membership to the server.

4)Content of the .bat:

@echo off
set DecFilPath=D:\XXXXX

Set VendrFile=%DecFilPath%\%2.gpg
Set EncryptFile=%DecFilPath%\%2.pgp

ECHO [%TIME:~0,8% %DATE%] Start Decryption      >> %DecFilPath%\LogDownload.txt
IF EXIST %EncryptFile% Del %EncryptFile%
Rename %VendrFile% *.pgp
pgp --decrypt %EncryptFile% --overwrite remove  >> %DecFilPath%\LogDownload.txt 2>&1
set error=%ERRORLEVEL%
ECHO %error% >> %DecFilPath%\OSerror.log
ECHO [%TIME:~0,8% %DATE%] End Decryption        >> %DecFilPath%\LogDownload.txt

Problem:

pgp --decrypt command won't run when we trigger the command.

- From the content of the .bat, we pretty sure the .bat did run successfully as the command Rename %VendrFile% *.pgp did successfully rename the target file.

- We force Exit Code output using this command set error=%ERRORLEVEL%, and notice there is this Exit Code 129 (An initialization failure occurred on startup)

Workaround:

- We assign Local Administrators permission to user ID ABC, pgp --decrypt command completed successfully.

Question:

We do not wish to assign local administrator permission to user ID ABC as we think it is having too much privilege. What is Exit Code 129 cause and how to solve it so that we can trigger the pgp --decrypt without having local administrator permission?

Thank you

I'm sorry you're having this problem.  You should not have to run with administrative privileges.

Exit code 129 is an "Initialization Failed" error that is detected early in the startup of PGP Command Line.  Unfortunately it may be returned due to a small number of initialization issues, so it's not possible to know what exactly the problem was.

If you are logged in as user ABC, and you run "pgp --version --verbose", does that command succeed?

Hi,

Thanks for the response, appreciate it. I've been a sitting for ages just to solve this issue.

I unable to sign on to the server locally using the ID ABC, because only administrators membership can logon locally (secpol limitation)

And i would not want to grant ID ABC the administrators permission, as it would failed the purpose of this inquiry.

Therefor, my best approach to try your suggestion is to launch the cmd.exe(Run As) under ID ABC. Result of pgp --version --verbose as below:

PGP Command Line 10.2 build 283
Copyright (C) 2011 Symantec Corporation
All rights reserved.
Use of this product is subject to license terms.

License information:
 State: Valid
 Evaluation: No
 Expiration: Never
 Name: xxxxxxxxxxxxxxxx
 Email: None
 Organization: authorized company
 License number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 Options: Encrypt/Sign enabled
 Options: Decrypt/Verify enabled
 Number of CPUs allowed: 1-999999

Passphrase cache information:
 Cache new passphrases: Disabled
 Currently cached passphrases: 0

System information:
 Operating system: Win32
 Number of CPUs: 2

Time information:
 Time zone offset: 8:00
 Current time (UTC): 2012-11-14T06:32:32Z
 Current local time: 2012-11-14T14:32:32+08:00

File information:
 Home Directory: C:\Documents and Settings\ABC\Application Data\PGP Corporation\PGP\
 Personal Directory: C:\Documents and Settings\ABC\My Documents\PGP\
 Public Keyring: C:\Documents and Settings\ABC\My Documents\PGP\pubring.pkr
 Private Keyring: C:\Documents and Settings\ABC\My Documents\PGP\secring.skr
 Random Seed: C:\Documents and Settings\ABC\Application Data\PGP Corporation\PGP\randseed.rnd

PGPsdk information:
 Runtime version: 4.2.0 release
 FIPS mode: Disabled
 Hardware RNG: Not detected

Public key algorithms:
 [EDSVG] RSA (PGP) - RSA
 [ED--G] Elgamal - Elgamal
 [--SVG] Digital Signature Standard - DSA
 [--SVG] Elliptic Curve Digital Signature Algorithm - ECDSA
 [ED--G] Elliptic Curve Shared Value Derivation - ECSVD

Symmetric ciphers:
 IDEA
 3DES
 CAST5
 Twofish
 AES128
 AES192
 AES256
 Blowfish
 Arc4_128

Hashes:
 MD5
 SHA
 RIPEMD160
 SHA256
 SHA384
 SHA512

Compression:
 None
 ZIP
 ZLIB
 BZIP2
 

Hm.  If you launch cmd.exe, RunAs user ABC, and run

pgp --decrypt [a .pgp or .gpg file] --debug --verbose

does it work, or does it also fail with exit code 129?

Hi, the result seems positive. This is of course triggered under interactive logon (Secondary Logon or known as Run As).

D:\XXXXXXXXXXX>pgp --decrypt XXXX0101.DAT.pgp --debug --verbose
pgp:decrypt (3157:current local time 2012-11-14T16:14:27+08:00)
C:\Documents and Settings\ABC\My Documents\PGP\pubring.pkr:open keyrings (1006:public keyring)
C:\Documents and Settings\ABC\My Documents\PGP\secring.skr:open keyrings (1007:private keyring)
Decoding XXXX0101.DAT.pgp...
 begin lex event
 file is encrypted
 file is asymmetrically encrypted
 decrypting file
 output event, type=b (98)
 end lex event
Decoding file XXXX0101.DAT.pgp... 100% (甥猥)
Decode complete
XXXX0101.DAT.pgp:decrypt (0:output file XXXX0101.DAT)

We do notice a strange behavior of the .bat execution:

- We enabled the secondary login service(Run As)

- Launch the cmd.exe with user ID ABC

We then triggred the .bat script using the third party scheduler IBM Sterling Connect Direct. The pgp decrypt work magically even without local administrators membership.

Interesting.  You at least have a working solution now?  I'm still not sure what your initial problem was, but we will try to replicate it.

Actually, we are not suppose to enable Secondary Logon service as it might introduce security havoc as this is a critical server. For now, we are stuck with the solution of Local Administrators permission. What we can do is provide extra protection to this id ABC to avoid any mis use. But i'm still highly interesting at the exit code 129 real meaning/cause.