Endpoint Encryption

Hi. I don't know if anyone can assist/ has seen this issue before?

Having an issue reading PGP emails after laptop rebuild (using PGP Desktop)

My colleagues laptop was rebuilt due to issues, he was asked create new PGP after rebuild.

Now he can read newly created PGP emails, but all the emails before the rebuld can not be read.

Apparently his old key was copied over by the IT department, so in theory, he should be able to read old emails with old imported key, and new emails with newly created key, but that is not happening. 

Does anyone know any setting I can check, to see if the old key is imported correctly (I can see it, it has the  older date, so thats how I know what is the old and the new one).  Don't know if it confuses things but the new key was created with the same password as the old key, so I dont know if that causes a problem. 

There are a lot of old emails we could do with being able to read, so any help would be gratefully received.

I am reasonably technical, but if you can help, would appreciate it explained as simply as possible.  

Thankyou in advance

Hello!

Did you imported bith key to pgp desktop? Is is possible, the the old key expired and you should reverify it? In the clinet all imported key is verified?

Hi.  Thankyou for answering.  When I go to PGP desktop it shows both keys.  THey have the same name, but different dates.  So I can tell one is the old key and one is the new key.  So the fact they both show in the desktop, I presume this means the old key was imported. I can also see that both show with a tick as verified.  Is there anything else I should check for??

Verify that the logo for the old PGP key that is imported into PGP Desktop shows a blue master key and the gray key attached to it. If it is the single gray key, then it's only a public portion of the key and cannot be used to decrypt those emails unfortunately.

If you do find that to be the case, so long as the end user has a backup of their system profile somewhere from when they reloaded their PC. They should be able to pull that information from the .pkr and .skr files in the My Documents\PGP folder for the users profile. The .pkr file is a public keyring file and the .skr file is the secret (private) keyring file. With both of those, that will restore all their old public and private keys that they had in PGP Desktop.

As guwy stated, I would confirm that the key that is imported is also showing as verified by checking that it has the green checkmark next to it. For more information on verifying keys, please see this How To article:

http://www.symantec.com/docs/HOWTO42091

As Ben stated, you need to make sure that the private key is present. 
After importing the key, you need to right click on it, select Properties, and set Trust to Implicit.  If the Trust setting cannot be set to Implicit, it means that you only have the public key.

Hi.  I can confirm both keys are green verified, and both keys show blue master key and the gray key attached to it.  Anything else I can check??  I don't suppose there is a master key that overides all keys that can be used in this instance?

Hi.  The trust was not set to Implicit., I changed it.   Does the PC require a reboot to take affect though?

A reboot is not necessary.

Hi.  tried all that, so here is the latest:-

Both keys are green verified, and both keys show blue master key and the grey key attached to it

The old key was not trusted so set to implicit, it allowed the change.  closed email, reopened and still the same issue, can not read old emails. 

I appreciate all the help

Any further ideas?

For previously received email, you may need to use PGP Viewer.

Hi Tom.  Thankyou for your time on this.  I am not aware of PGP viewer, is this an add on that needs to be installed? 

You are welcome.  If you are a Windows user of a recent PGP Desktop, you can click on the PGP icon in the system tray, and then select Open PGP Viewer. 

we are running 9.1. i think this is only available with version 10. 

I think you are correct.  If you can open the email to seeing the encrypted data, and if it has the Beginning and End PGP lines, you can copy it to the clipboard, and use the PGPtray, Clipboard option of Decrypt & Verify.

Hi Tom.  I tried this. The outcome may help to explain the problem more.

So my collegue tries to open an old PGP email, it asks for his password, it does not accept it.  Then open the email but obviously does not display it decrypted. So then tried copy email to the clipboard, and use the PGPtray, Clipboard option of Decrypt & Verify. It does the same thing, asks for a password, then the password is not accepted.  The password he is entering was correct before the laptop rebuild, and he has setup his new PGP with the same password, that is working.  So I guess I did not explain the problem fully, his old PGP does not seem to be accepting his password, even though he is entering in the correct one.  And only happend since rebuild. 

I don't know if there is a way of getting round this, without affecting the new key?

Is the same PGP version being used now, as was previously used?

If he is able to change the key passphrase, this might possibly make a difference.

Hi Tom.  The same PGP version is being used.  So we tried to change the key phrase of the old key to see if that helped.  We discovered it asked the questions associated with the new key, even though the old key had been selected.  Because of this we are thinking the old keys were not loaded properly.  So wondering if the best thing is to ask for the pkr and .skr files from before the rebuild to be loaded again on the laptop.  Do you think this is the best next step?

If that is the next best step, is it just a case of copying those 2 files back in the same path as before, or does something need to be done with them?

This is worth trying.  They can either be placed in the current location of your keyrings, or another location for trying this with then right clicking on All Keys on the top left of PGP Desktop, selecting Properties, and setting it to these keyrings.

I changed the path to where the backup of the old PGP keys are.  It still does not accept the password, and the security questions are as for the new keys.  Its defnately mixed up.  I don't suppose there is any way arond this now?  Appreciate your help though

I'm at a loss other than thinking this might somehow be related to your old version of PGP.  It asks for your passphrase, so the private key should actually be on your keyring. Maybe, make sure all your keys (not public keys of others) are set to Implicit Trust. 

yes, they are all trusted implicitely.  for testing the old ones, I changed the path, so it was only using those ones, and none of the other group ones.  Is there any way around it, like an admin key that can be created that can read everyones emails?  With most other aplications, you can normally get round things, but I guess with this being so secure, there is not that option.

You might be interested in using an Additional Decryption Key.  However, this is not helpful for encryption prior to the ADK being used.

Thanks for all your help, I will suggest this for the future.  Thanks again