Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Replying encrypted to incoming encrypted e-mail? Send encrypted w/missing keys?

Created: 18 Jul 2011 • Updated: 20 Jul 2011 | 10 comments
This issue has been solved. See solution.

We've been using PGP Desktop since before it was called "PGP Desktop."  For most encryption, decryption, signing and validation tasks it has served it's purpose.  With later versions of PGP Desktop (10.0.2) and MS Office (2007), a few quirks and questions have started to pop up.

 

Replying encrypted to incoming encrypted e-mail?

According to one of my users, prior to her Office 2003 -> Office 2007 upgrade, PGP Desktop would automatically generate an encrypted reply to an incoming encrypted e-mail.  This totally makes sense, since you'd want to keep the conversation private if it started out that way.  I currently see no policy knob that would match on encrypted incoming e-mail and reply in kind.  Can this be configured, and if so, how/where?  As a workaround, we're using a policy match of message flag = Confidential.

 

Sending encrypted e-mail with missing public keys?

This same user had a need to reply encrypted to a received encrypted e-mail (see above), and was able to create a policy to encrypt if the message was Confidential.  Unfortunately, out of four recipients, only two had PGP keys in her keyring.  While fully appreciating the fact that the recipients without keys will not be able to decrypt the e-mail, is there any way to have PGP Desktop send the e-mail encrypted to those recipients with keys, and only fail to send to those recipients without keys?

 

Thanks!

- Dave

Comments 10 CommentsJump to latest comment

Tom Mc's picture

Replying encrypted to incoming encrypted e-mail?

According to one of my users, prior to her Office 2003 -> Office 2007 upgrade, PGP Desktop would automatically generate an encrypted reply to an incoming encrypted e-mail.  This totally makes sense, since you'd want to keep the conversation private if it started out that way.  I currently see no policy knob that would match on encrypted incoming e-mail and reply in kind.  Can this be configured, and if so, how/where?  As a workaround, we're using a policy match of message flag = Confidential.

The default PGP messaging policies will always result in encrypted email to an individual for whom you have a valid, enabled, non-expired or revoked key. Although not automated as you wish, the Outlook PGP buttons do let you easily decide manually on what outgoing email is signed and/or encrypted.  I think you may be wanting to send non-encrypted email in response to a received non-encrypted email even though you have the public keys that could be used for encryption?  If so, I don't see a way to do this with the email proxy.

<snip> is there any way to have PGP Desktop send the e-mail encrypted to those recipients with keys, and only fail to send to those recipients without keys?

Only with setting the confidential flag for those messages, or placing [PGP] in the subject line.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

JuniperDave's picture

Thanks for the speedy reply, Tom.

 

The default PGP messaging policies will always result in encrypted email to an individual for whom you have a valid, enabled, non-expired or revoked key.

This is the functionality that the user recalls, but currently if she replies to an encrypted e-mail, the reply is sent silently unencrypted (without warning), which is exceedingly dangerous.  How can I tell why this default PGP messaging policy isn't triggering?  Could it be related to the following sequence of events:

  1. Install MS Office 2003
  2. Install PGP Desktop 10.0.2 [Build 13]
  3. Upgrade to MS Office 2007 by IT

If so, would a re-install of PGP Desktop or upgrade to the latest version help?

<snip> is there any way to have PGP Desktop send the e-mail encrypted to those recipients with keys, and only fail to send to those recipients without keys?

Only with setting the confidential flag for those messages, or placing [PGP] in the subject line.

If we use the Confidential flag trick to send to a mix of recipients with and without PGP public keys in the keyring, the entire message fails.  Is there a switch to tell PGP Desktop to send encrypted to those users on the To: line that have PGP public keys and only fail to send to those users on the same To: line without PGP public keys?

 

- Dave

Tom Mc's picture

The default PGP messaging policies will always result in encrypted email to an individual for whom you have a valid, enabled, non-expired or revoked key.

This is the functionality that the user recalls, but currently if she replies to an encrypted e-mail, the reply is sent silently unencrypted (without warning), which is exceedingly dangerous.  How can I tell why this default PGP messaging policy isn't triggering?  Could it be related to the following sequence of events:

  1. Install MS Office 2003
  2. Install PGP Desktop 10.0.2 [Build 13]
  3. Upgrade to MS Office 2007 by IT

If so, would a re-install of PGP Desktop or upgrade to the latest version help?

Please check the keys to make sure they are actually showing in All Keys as enabled, valid, not revoked, etc.  You can use the View menu's Columns option to make this easy to see.  Especially check the Enabled column. 

You may also want to make sure the Notifier settings in PGP Options are set as desired.

If we use the Confidential flag trick to send to a mix of recipients with and without PGP public keys in the keyring, the entire message fails.  Is there a switch to tell PGP Desktop to send encrypted to those users on the To: line that have PGP public keys and only fail to send to those users on the same To: line without PGP public keys?

I believe that this is the intended functioning and that I misspoke to the contrary.  I don't believe there is a way to change this.

 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

JuniperDave's picture

Please check the keys to make sure they are actually showing in All Keys as enabled, valid, not revoked, etc.  You can use the View menu's Columns option to make this easy to see.  Especially check the Enabled column.

I think we mostly have the steps required to make PGP Desktop do our bidding:

  1. Always set Confidential for e-mail you want encrypted.
  2. When encrypting outgoing e-mail, either remove recipients on the To: and Cc: lines that don't have PGP keys, OR get PGP keys for everyone on the To: and Cc: lines.

The final pain is the need to both import AND sign (ie. make "valid") every key before sending a reply to multiple parties.  I don't recall this being required before.  PGP Desktop would simply and magically find the recipients in the defined PGP keyservers, encrypt to their keys (without needing to save them to the keyring and sign them), and send off the e-mail encrypted.  Was this changed at some point, or is there a knob to allow encryption to keys that are not "valid" (signed)?

- Dave

Tom Mc's picture

You can make this change to the Opportunistic policy:

Encrypt to "recipient's verified key" to Encrypt to "recipient's unverified key."

Additionally, if you download the Global Directory Verification Key 0xCA57AD7C to your keyring, sign it and set Trust to Trusted, then any key downloaded from the Global Directory will be considered valid.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

SOLUTION
Tom Mc's picture

You will also probably want to make that "Encrypt To"  change on the Require Encryption: [PGP] Confidential policy.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

JuniperDave's picture

Yep.  I had my user make the change.  She's going to try to encrypt (via the Confidential flag) to another member of our team she doesn't have in her keyring.  With luck, that'll do it.

Thanks!

- Dave

Tom Mc's picture

Is this working okay now?  Or can we provide further assistance in getting this resolved?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

JuniperDave's picture

Hi Tom.

Yes, by changing to "recipient's unverified key", my user is now able to send encrypted e-mail to recipients not in their local keyring.

Thanks for all the help.

- Dave

Tom Mc's picture

You are welcome - glad to hear all is well for you now.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &