Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unable to decrypt files from a NetShare

Created: 05 Mar 2012 | 9 comments

I have a set of users who are unable to decrypt Netshare files.  They receive the following error:

They can access/open the files but are unable to remove the encryption.  One of the users has a corrupt PST file and we are trying to remove the encryption so that we can run PST repair tools on the file.

Any ideas?

Thanks

Comments 9 CommentsJump to latest comment

Tom Mc's picture

They have access to the folder, which is determined by the operating system.  Have they been added as Netshare Users for the folder?  If so, has the folder been re-encrypted since they were added?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Avkash K's picture

Hi,

 

Please check if below article can help you!

 

PGP NetShare: You Are Attempting To Protect A File Or Folder That No one...:

http://www.symantec.com/docs/TECH149842

Regards,

Avkash K

Julian_M's picture

Check these user have modify / full access in NTFS (right click on folder, properties, security)

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

plato28's picture

@Avkash K - You may be on to something.  When I look at the NetShare permissions there is an Unknown key and there are no "Admins" or "Group Admins" only "Users".  

The option to promote a user to admin or group admin is grayed out.  If the user trys to re-encrypt the file to add a new user they receive the same error message as above.

Is a Admin required for decryption? If the user can open and access the file shouldn't they be able to decrypt?

@Julian_M I checked the NTFS permissions and the user has Full Control to the file and directory containing the file.  I've also tried coping the file to my local workstation, adding the user's key pair to my key chain and I receive the same error when trying to decrypt or re-encrypt.  I also tested with another user on the same NetShare and they get the same error.

I appreciate everyone's help and suggestions...

Avkash K's picture

Hi,

 

Are you going with the below point??

An PGP NetShare Admin can add and remove users and Group Admins.

Regards,

Avkash K

plato28's picture

@Avkash K - I have to believe that it is related in some way to the Unknown Key of the user who originally created the NetShare.  That person's key/account was deleted from the PGP Universal server.  We did find a copy of their key but it was expired so it was of no use. 

I've opened an official support case to see if they have any suggestions.  

Thanks 

mgcon's picture

I'm having the same issue, although we have Admins and Group Admins and no missing/unidentified keys.

My testing shows that only Admins and Group Admins can remove a file from Netshare, even after copying it out of the protected folder (e.g. onto their desktop).

Save As.. doesn't seem to work although I hear that varies depending on the file type and app used.

Emailing it to yourself does work, but the whole point of implementing netshare was to avoid emailing around sensitive files!

From reading the documentation, it seems that the intended functionality is for all users to be able to decrypt files if they really need to. The interim solution is to make everyone a Group Admin, but that's undesirable and means re-encrypting the entire file share :(

Does anyone have a solution for this by any chance?

Cheers,

plato28's picture

 

@mgcon
 
I attended PGP training last week and I brought up the permission issues with the default NetShare roles.  The instructor suggested that if enough people complained about the issue it would get noticed and addressed in a future release.  Ha!
 
I did learn that you can use the "Prevent the encryption of files in the following folders" option in the Consumer Policies - Desktop - NetShare to black-list folders.  You can then copy an encrypted file from an existing NetShare into the black-listed folder and it will automatically remove the encryption. (Assuming that you had a key to the NetShared file)
 
For me the better solution would be for Symantec to change the "User" role so that it has the ability to right click on NetShare files and remove them from the NetShare (decrypt the files).  I don't like using the Group Admin or Admin roles, because they give the users the ability to add other users to the NetShare and we are trying to centrally manage all NetShares. 
mgcon's picture

Thanks for the update. Sadly I'm using Netshare without a server so I don't have that option. At least I know it's not something we're doing wrong and what my options are now.

I have found some good workarounds to allow non-Admins to decrypt files without emailing them:

Add to a WinZip archive then unzip.

Use PGP Desktop to secure with a key or passphrase, then decrypt.

Use PGP Desktop to encrypt to yourself, then decrypt. (Note, if when decrypting you overwrite the source file, it seems to keep the Netshare encryption, so delete or rename it first)