Endpoint Encryption

We have a user that needs PGP to send encrypted files to the DWP (government place in the UK).  They refuse to accept the files in any other format.  Problem is, we're moving all users to a new setup which is Windows 7.  Their old licence is for PGP Desktop 9.6 and that is what the .sig file was setup for.

I've installed it once on Windows 7 but it then kills all the mapped network drives bar one for some odd reason.  I ran the .sig file and it important all their keys and e-mails it seems fine.  However, I had to uninstall PGP due to the issue of it killing all the network drives.

I've reinstalled PGP a few times today to try and get a fix for the network drives.  However, now the .sig file isn't activating and keeps saying it's invalid.  It's as if because I've been trying to use it to activate a few times, Symantec might be detecting it as an attack and blocking it.

Any ideas?

Or will we have to order a new licence?  If we ordered a new version would we be able to get our keys back from the 9.6 version?

Support for Windows 7 began with PGP 9.12 (nine.twelve), so you need to upgrade to 9.12 or any 10.x.  Your license should work with at least 9.12, and perhaps to more recent versions.  The easiest way to keep your keys would be to have your existing keyrings available for the Windows 7 PGP install, and when PGP asks if you have existing keyrings, point it to these keyrings, and let PGP copy them to the default location.

You can probably find your keyrings as indicated below.  If not, you can right click on All Keys in PGP Desktop, and select Properties to see the location of your current keyrings.

%USERPROFILE%\My Documents\PGP directory:

Keyrings: pubring.pkr and secring.skr

Keyring Backups: pubring-bak.pkr and  secring-bak.skr

The licence we have for 9.6 is only for encrypting files for zipping, PGP's zip I believe.  The licence we have for 10.2.1 is for whole disk encryption, which we don't need for this users.

The .sig I believe contained all the keys they had or all the users that had access (I should of got a screenshot earlier).  When running the sig file it connects to keyserver.pgp.com.  First time it connected fine and stopped asking for licence info when I'd run PGP.  It also showned all the users that had access.

Since having to reinstall though, running the .sig file now just bombs out and the keyserver.pgp.com

The file is a PGP Detached Signature File.

When I first important it, it worked fine and showed a list of users in the Verification History.  Now it just won't work as in the screenshots.

I assume to get to 9.12 won't be easy and would be a cost?  I'm not sure what their support package for this version ever was as they purchased it years ago.

Your 10.2.1 license should work for your desired signature verification - you can use this license without encrypting the disk.

The .sig signature file does not contain keys, but will indicate what key(s) made the signature.

I see that you are not able to connect to the Global Directory to download keys needed to verify the signature.  That may be a temporary glitch with the Global Directory, or may possibly be something on your end not allowing the connection.

Your third screen shot make is look like there may be something wrong with the signature.

However, your problem appears to be having the keys needed for the signature only on the Global Directory.  If you need to verify signatures only from a particular set of keys, you can bypass this problem by placing those keys in your public keyring, and signing them to show that you know they are owned by the people they have indicated as the owner - this will show the keys as valid/verified.

Yes, was able to connect to the Global Directory the first couple of times, now not.  But can if I go via a browser.  Which made me think my repeated attempts to contact the server with the .sig, was causing Symantec to block us due to thinking it was an attack?  I don't know if that theory is right or wrong.

I'll try as you suggest with 10.2.1

I forgot to add the end error that comes up with the .sig right at the end.  Doesn't make sense as worked at this morning.

I don't think the failed Global Directory connections were related to your repeated attempts.  But it may be related to all these Denial of Service attacks going around the Internet. 

This makes it sound like the problem is the lack of having the needed public key for the signature validation.  If you know the key that made the signature and download it to your public keyring, and then sign it, you will probably get a good signature.

I've managed to get the old PC up and running and exported the keys from there.  I'll import them into the 10.2.1 client and see how it goes.

I've managed to get 10.2.1 installed but it crashes everytime logging on.  I've ruled that to be the old issue we had with the right click menu.  Disabling PGPShell Extension and PGP Portable with Autoruns stops the explorer crash on right click.

However, the keys appear to be failing that were exported from 9.6.  Adding the image.  These keys work fine on the old XP machine and don't claim they are blocked.

I wonder if the issues we're having are new group policies for this users?  When I get them to log onto my laptop that doesn't have the group policies, PGP is working all fine, apart from the keys saying they are disabled, if I get the user to login, all their group policies kick in and PGP keeps crashing.

Currently they have their profile redirect the My Documents to a network share.  I note that's where the PGP saves its keyring data.  Could this be the issue?  I've tried renaming the specific folders relating to PGP on their account, so they get recreated on login, but still PGP will crash with no error message.  This is in the event viewer.

"

Faulting application name: PGPtray.exe, version: 10.2.1.4940, time stamp: 0x503d1c93
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b8f
Exception code: 0xc0000005
Fault offset: 0x00033792
Faulting process id: 0x12a0
Faulting application start time: 0x01ce4b35bc47c00b
Faulting application path: C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe
Faulting module path: C:\Windows\SysWOW64\ntdll.dll
Report Id: fa42e131-b728-11e2-802b-005056c00008

"

You may have a problem with having keyrings on the server.  However, if your key is actually disabled, which appears to be the case, try right clicking on the key(s), and selecting Enable.  A disabled key will not be encrypted to.

Are you still having difficulty with this?

Had a look again yesterday.  I think the fact their old licence was just for the zip part of it so only talked to keyserver.pgp.com, possibly is causing issues as well.  Because I installed of our 10.2.1 version with our licence which allows for zipping & whole disk encryption and we run a key server, it means his install is trying to talk to our key server and the global one.  I think this is then adding an extra key when he goes to encrypt.  So says "Additional key" when he adds himself.

It appears to be working from here but we thinking that when sent to the DWP the additional key part will mean they won't accept it.

I've told them now the best option (as our main licence is expiring soon) is to purchase a seperate copy of PGP licenced just for the zip part.  Then we can import the old keys again.

On that note, I think I'll mark it as solved.

Thanks for help.

Does it say "Additional Key" or "Additional Decryption Key?"  If it says Additional Decryption Key (ADK), it means that a key has an ADK.  An ADK is a key that has been added to someone else's key, such as an employee in a business, so that the organization can still decrypt email/files to that individual when he/she is not available to do the decryption.  If an organization or individual sets their key(s) to require an ADK, you will not be able to encrypt to their key(s) unless you also have the ADK to encrypt to.

BTW, I believe all PGP licenses, even the Freeware, still allow use of PGP Zip.