Endpoint Encryption

 View Only

  • 1.  3063 - key unable to encrypt

    Posted Nov 18, 2016 03:15 PM

    Recently we upgraded a server to 2012 R2 and chose to upgrade to PGP CL 10.4 as well.  We are finding that we have a specific key that we cannot encrypt with.  The key is DSS/512, and works on an older version of PGP.

     

    What can this be?

    Similar issue/identical issue posted here:

    https://www.symantec.com/connect/forums/encrypt-3063key-unable-encrypt

     



  • 2.  RE: 3063 - key unable to encrypt

    Posted Nov 21, 2016 01:01 PM

    Could be similar. Try a recent version of 10.3.2 MP12 or MP13...

    10.4 seems to have some issues. Also, feel free to call in and open up a support case, especially if there is a feature of 10.4 that you need. The 10.4 issues should be investigated to produce bug reports and ultimatley resolve any issues that have come up. 

    That being said, 10.3.2 MP11-MP13 versions are not very old, and should operate perfectly well.



  • 3.  RE: 3063 - key unable to encrypt

    Posted Nov 21, 2016 02:18 PM
      |   view attached

    Hi Phil -

     

    Thanks for the reply.  I did open a ticket (Case# [redacted]) and did some troubleshooting this morning.  It sounded like from the engineer on the call that 512-bit level keys may not be supported anymore since they are not secure, but he did tell me there is a procedure to re-add support and he would get with me tomorrow on how to do that.

    I did ask him about downgrading and didn't really get a clear answer on that.  If I can downgrade, how do I obtain the download?  All I see in my portal is the 10.4 version and cannot find a way to download anything else.

    The archive tab is greyed out on the download page.



  • 4.  RE: 3063 - key unable to encrypt

    Posted Nov 21, 2016 04:07 PM

    If the purchase occurred after relase of 10.4, it may be a 10.4 and newer serial number. You may need to open a case with sales/licensing to get a Serial number to download the 10.3.2 version. This might be something you can do through chat on the mysymantec portal.



  • 5.  RE: 3063 - key unable to encrypt

    Posted Nov 21, 2016 04:12 PM

    Additional note : 
    If the key length is 512 (DSA), NIST has declared that to be obsolete (No longer reasonably secure), so you should make a new key anyway. Using an older version would allow you to use the key, but the key would is no longer secure. 

    Any reason why you would not be able to generate a new key and use that?



  • 6.  RE: 3063 - key unable to encrypt

    Posted Nov 23, 2016 03:46 PM

    The key we are using belongs to a customer and the size of it is out of our control.  We have advised them to strengthen the key but I do not think that will occur for some time.