Endpoint Encryption

Hi,

We have had lots of problems when changes to consumer policies also involve a change of key mode.

It seems particulartly problematic when the change is from SKM to GKM.

This old forum entry "Changing key management on existing consumer policies" states that the problem was fixed in 3.3.0 MP3 / 10.3.0 MP3, and references this bug report: http://www.symantec.com/docs/TECH193051

We are running 3.3.2 / 10.3.2. 

I get the same error message "11:18:39 PGP     Error    Key Mode change has failed with an error: insufficient privileges (-11972)"

Thanksfully the "temporary workaround" stated on that link seems to overcome the problem, but it certainly isn't fixed in the release we are using.

Thanks, Neal.

Hi Neal,

Thank you for bringing this topic up.
This can be a regression bug or an incorrect article, I will ask someone to review the article and amend it if that's the case.

Do you have the possibility to open a case with the Technical Support? That's the current procedure to handle bugs (additionally it helps bringing traction to reported issues).

Contact Business Support: http://www.symantec.com/support/contact_techsupp_static.jsp

Thank you and regards,
dcats

Hi Neal,

We have updated the article to reflect the current status.
If you have the possibility, please open a case and ask it to be added to eTrack #3472328 mentioned in the article TECH193051.

Thank you and regards,
dcats

Hi,

Yes, I have access to technical support, and will open a case.

However, the issue has now escalated such that I am unable to use my PGP key in "GKM mode". On switching from SKM to GKM I was prompted for a new passphrase. This makes sense as in SKM mode, the server looks after passphrase mangement, but in GKM mode the user is in control.

I entered a suitably strong pasphrase, which was accepted/confirmed and the dialogue disappeared. I am now being prompted to enter an key passphrase while performing actions requiring the private key, but the passphrase I entered does NOT unlock the key.

I know I have the correct passphrase.

We do NOT have key reconstruction data, so I am unable to use that method to reset the passphrase.

The key mode switch has left me with an unusable key, and lots of emails & data which I can longer gain access to.

This isn't the only time I have seen this. I've had several other users report the same issue. Thankfully, as they were "new" users, we could wipe the accounts and start again with the desired key mode and new keys.

Not happy at all. 

Neal.

Hi dcats,

I've just added a reponse to your previous reply - they must have crossed in the ether.

I'm about to open the case, so will mention the eTrack number.

Do you know of any way of resetting the passphrase on my now "unusable" key?

Thanks, Neal.

An update.

I've open a case and asked it to be linked to eTrack #3472328 as suggested.

All my attempts yesterday to enter a passphrase to unlock my key failed.

I had to restart my Windows 7 installation this morning for other reasons, so when it restarted I thought I'd see if I could unlock the key.

I attempted to look at an encrypted email, and entered the same passphrase I tried yesterday (many times), and to my amazement (and joy), the key unlocked!!!!

The restart obviously cleared something out, so at least I now have a functioning key again.

Neal.