Video Screencast Help

PGP Key without Subkey

Created: 20 Dec 2012 | 15 comments

Hi

my company uses several public keys sent by External customers to encrypt customer data

Some new starters in the team have  the standard PGP Desktop version 8.1 installed and one of the customer keys (only one out of  is not working on the new installations

On examination the key that is not working is an RSA Public Key without a Subkey  (all other keys have a subkey)

This key is working on 2 existing team members computers which have either bespoke versions of PGP Desktop (we do not know what was done)

My question is how can this key work without a Subkey ?

and is there anything that can be done to the stanard version to make this key work ?

Appreciate any help I can get

Chris

Comments 15 CommentsJump to latest comment

Alex_CST's picture

Not all keys generated use subkeys, depending on when it was made, what type of key it is etc.  RSA keys before v4 didnt use subkeys, its possible this is one of those.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Chris_Barclaycard's picture

Thanks Alex ,

is there something extra that needs to be done to a Key without a Subkey to make it appear in the Key selection dialog screen when I right mouse click on a file in Explorer ?

(it has been signed , like all other 8 keys)

thanks

 

Chris

Tom Mc's picture

If current/recent versions of PGP indicate the key is an RSA key, it is a v4 key and needs to have an encryption subkey for currenet/recent versions of PGP to encrypt to it.  Current/recent PGP versions will identify those old v3 RSA keys that did not use subkeys as Legacy RSA keys. If someone deletes an RSA key's encryption subkey, it becomes a sign only key, and you cannot encrypt to it.  The owner of the key needs to either add an encryption subkey to the existing key, or generate a new key for you to use in encryption to him/her.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Chris_Barclaycard's picture

thanks ,

that is what I had assumed from the Manual and searchign the forums , nice to have it confirmed

Is there any way to explain why 2 existing installations that indicate PGP version 8.1 are able to encrypt with this RSA key (the PGP screens indicate RSA key)  ?

chris

 

Tom Mc's picture

You may want to take a look at the key on those machines; they might have a copy of the key before the subkey was deleted.  If so, you can resolve the problem by exporting the key from one of those machines and then importing it to your other machines.  If your use of the key is only on your oldest versions of PGP, it might possibly be related to those older versions not recognizing the key as a sign only key, and treating it as a v3 RSA key (encrypting to the RSA master key), but I wouldn't have thought this would occur as recent as PGP 8.1.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Chris_Barclaycard's picture

Hi Tom

I have just checked the key version and everyone is using the same key. 

We have also been testing other users keyrings on different machines and the problem is definately machine related rather than key related.

The machines that do not see this RSA key are the newest installation (and also have PGP command line installed)

The machines that can see the RSA key are the existing installations (and do not have PGP command line)

All machines indicate 8.1

Is there any way of testing /checking if this is an older version other than the version number

thanks

Chris

 

 

Tom Mc's picture

I have just checked the key version and everyone is using the same key. 

We have also been testing other users keyrings on different machines and the problem is definately machine related rather than key related.

Does this mean that you have confirmed that this particular key does not have an encryption subkey on any of these machines.  I'm confused as to what you mean by "checked the key version."

The machines that do not see this RSA key are the newest installation (and also have PGP command line installed)

The machines that can see the RSA key are the existing installations (and do not have PGP command line)

When you say "see the RSA key," do you mean that it presents the key as being available for decryption?

So, the machines that can encrypt to this key, do not have PGP command line installed? 

If the problem is only on machines with both PGP Desktop and PGP Command Line installed, are both PGP versions using the same keyrings? 

Are both PGP command line, and PGP Desktop using version 8.1?

What operating system are you using?

All machines indicate 8.1

Is there any way of testing /checking if this is an older version other than the version number

If the software reports being 8.1, it should be.  You can also export a key, opened the exported key in Notepad, and see what version is reported there.  This will show what version of PGP exported the key.

 

 

 

 

 

 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Chris_Barclaycard's picture

Does this mean that you have confirmed that this particular key does not have an encryption subkey on any of these machines.  I'm confused as to what you mean by "checked the key version."

Apologies , On ALL machines this key does not have an encryption subkey

Everyone has imported the same key from a central location onto their personal keyrings

 

When you say "see the RSA key," do you mean that it presents the key as being available for decryption?

The RSA is not visible in the Key Selection Dialog screen  

 

So, the machines that can encrypt to this key, do not have PGP command line installed? 

correct

If the problem is only on machines with both PGP Desktop and PGP Command Line installed, are both PGP versions using the same keyrings? 

Are both PGP command line, and PGP Desktop using version 8.1?

Both PGP versions are using the same Keyring

Command line version 9.8

Desktop version 8.1

What operating system are you using?

Windows XP Professional SP3

 

 

 

Tom Mc's picture

I'm thinking that the problem is related to the different versions using the same keyrings, and the more recent command line version not being able to encrypt to sign only RSA keys, while the older 8.1 version being able to.  I suspect that PGP Desktop 8.1 would be able to use the key if it uses its own keyrings.  Your can test this by changing the keyrings setting to a different folder, letting PGP then create new keyrings at that location, and importing the key from the location it was originally imported from (not from the current keyring). 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Chris_Barclaycard's picture

Hi Tom

I would have to agree that the versions are causing the problem but I think it might be the recognition of the key.

 

I created a new Keyring from within PGP desktop (v8.1) and imported the offending key into this new keyring. I also imported a RSA key whichs has a Subkey and works on all machines as a control

I then changed PGP Desktop to use this keyring as it's  default.

Still when I attempted to encrypt the control key was displayed and the offending key was not

 

Could the mere installation of PGP command line have upgraded DLL's that PGP desktop uses which means that PGP 8.1 will no longer recognise RSA keys without Subkeys regardless of which keyring is being used by the different applications ??

 

FYI The offending key shows  "Version: SecureBlackbox 7 (PGPBlackbox)"  when I open the key in notepad

 

Tom Mc's picture

Could the mere installation of PGP command line have upgraded DLL's that PGP desktop uses which means that PGP 8.1 will no longer recognise RSA keys without Subkeys regardless of which keyring is being used by the different applications ??

This is a possibility.  If this is the problem, it might possibly be resolvable by reinstalling PGP Desktop.  This might replace the command line dll with the desktop dll, but this won't always occur because sometimes a newer file version will not be replaced by an older one.  I would suggest that the likely resolution to all this would be to replace the aging 8.1 version (such as downloading the current Trial and upgrading to it); but this wouldn't let you encrypt to a sign only key, because recent versions are designed to not do this.  I guess you could look at PGP DLLs from a single install of both versions on different machines, look for matching PGP DLL names, and if finding any that are the same, make the desired substitution on a current machine.

FYI The offending key shows  "Version: SecureBlackbox 7 (PGPBlackbox)"  when I open the key in notepad

So the person exporting this key for you is doing so from an Open PGP compliant software install.  I doubt this is the problem, but it does introduce a possibility since sometimes "official" PGP and Open PGP compliant software are a little out of step regarding the addition or implementation of features.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Chris_Barclaycard's picture

I have been able to identitfy which Dll's have the newer version on the various machines ( there are 6 dll's/exe in the Windows|system 32)

but I think the decision is going  to be made to stick with the situation as it stands and not risk corrupting any installations.

I believe the customer in question (who exported this key) is moving to a different setup sometime next year so the problem will probably resolve itself  !!

I deeply appreciate all your help on this matter

 

thanks

Chris

Tom Mc's picture

I would suggest asking the individual to add an encryption subkey, and quess the individual would not have a problem with this.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Tom Mc's picture

Another thought - if you place the PGP 8.1 DLLs in the same folder as the PGP 8.1 executables, seems like they will be used by PGP 8.1 instead of the Command Line DLLs it will use in Windows|system 32

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Tom Mc's picture

Please let me know if you tried this - I believe it will work for you.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &