Endpoint Encryption

 View Only
Back to discussions
Expand all | Collapse all

Pgpnetshare.exe Command line functionality not looking up group users when re-encrypting with a group as the admin role.

  • 1.  Pgpnetshare.exe Command line functionality not looking up group users when re-encrypting with a group as the admin role.

    Posted Jun 03, 2014 10:02 AM

    I have the following setup:

       An "Admin Group" containing myself and several other people I want to be able to re-encrypt folders as needed.

       A "User Group" of people that should not be able to manage the File Share, but can decrypt content.

       My personal key/account.

       I'm able to use either the Windows UI or the pgpnetshare.exe command line to create an encrypted file share such that the "admin group" has the admin role, my account is a group admin, and a "user group" is assigned as a user role.  Here's the command line I use for that:

    pgpnetshare -e --recipient-owner "ADMIN GROUP KEYID" --recipient-operator "MY KEY ID" --recipient "USER GROUP KEY ID" --signer "MY KEY ID" --passphrase "MY PASSPHRASE" --universal-server "pgpserver.mycompany.com" "C:\encrypted_file_share_folder"

    With that, I'm able to have other people in the "Admin Group" re-encrypt and otherwise change the file share folder as needed through the Windows UI, but what I'm not able to find a way to re-encrypt or change anything using the command line application on the new File Share once these roles are assigned.

    Here's the command line I try to use to re-encrypt:

    pgpnetshare --reencrypt-delta --recipient-owner "ADMIN GROUP KEYID" --recipient-operator "MY KEY ID" --recipient "USER GROUP KEY ID" --signer "MY KEY ID" --passphrase "MY PASSPHRASE" --universal-server "pgpserver.mycompany.com" "C:\encrypted_file_share_folder"

    I get the error:

    Error: You are attempting to manage a File Share Encryption-protected file or folder, but you do not have rights to do so.

    Which leads me to believe that the command line doesn't check to see if I'm on the "Admin Group" users list. Note that the Windows UI does check this and I'm able to re-encrypt the folder through the Windows UI, just not the command line.

    I'm able to use the above re-encrypt command line if my account is in the "Admin Role", but not the "Group Admin Role". And after I issue the command, I can again, no longer manage the folder with the command line. Everything still works as expected through the Windows UI.

    Is there a command line option that I'm missing or is this a limitation of using the command line tool?

    I'd really love to have a solution so I could create a script to re-encryption at regular intervals without losing the ability to have multiple people manage the group.

    Thanks in advance for any help.

     



  • 2.  RE: Pgpnetshare.exe Command line functionality not looking up group users when re-encrypting with a group as the admin role.
    Best Answer

    Broadcom Employee
    Posted Jun 06, 2014 03:01 PM

    You can not use a Group key as admin and run these commands. The Netshare command line utility doesn't have access to the group key that you are using and will cause an error. 

    You could download and import the group key to the local machine that is doing the Netshare command and run the command using the key-id identifier, but this is bypassing the use of the group key and should probably not be used in this manner since it leaves the group key on the server without a passphrase. 



  • 3.  RE: Pgpnetshare.exe Command line functionality not looking up group users when re-encrypting with a group as the admin role.

    Posted Jun 06, 2014 03:03 PM

    Thanks Brian_Ch, I've put in a feature request to add this capability to the pgpnetshare command line application so it works like the GUI.