Unable to decrypt email after installing Encryption Desktop 10.4.2 HF1 or above
Last Updated April 12, 2019
After upgrading to Encryption Desktop version 10.4.2 HF1 or above, you are unable to decrypt emails automatically. The PGP Viewer can successfully decrypt the email content. The issue occurs when the email was encrypted with a release of Encryption Desktop below 10.4.2 HF1 but is being decrypted by 10.4.2 HF1 or above.
NOTE: If you are experiencing issues decrypting PGP Zip files or other encrypted files after upgrading to Encryption Desktop 10.4.2 HF1 or above, please see article TECH253087.
Symantec Encryption Desktop 10.4.2 HF1 and above.
Entries like this appear in the Encryption Desktop log file:
MAPI Proxy: Decryption failed with error: PGPError #-12562
In 10.4.2 HF1 and above, Encryption Desktop only decrypts email messages that include SEIP (Symmetric Encryption Integrity Protection) packets, not just SE (Symmetric Encryption) packets. The Integrity Protection feature mitigates the Efail vulnerability.
When encrypting an email with Encryption Desktop 10.4.2 HF1 and above, Encryption Desktop will enforce the use of SEIP packets regardless of the key(s) used to encrypt the email.
For Encryption Desktop versions below 10.4.2 HF1, there are two conditions in which emails could be sent using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability:
The email message is encrypted with version 3 key(s). The current standard is to use version 4 keys.
The email message is encrypted with version 4 key(s) but the preferred cipher is set to something other than AES and it is missing a Modification Detection flag.
These conditions do not affect emails encrypted by Encryption Desktop 10.4.2 HF1 or above.
Symantec first recommends that all sending clients be upgraded to 10.4.2 HF1 or above so that SEIP packets will be used regardless of the key settings. Clearly, however, it is not possible to force third parties to upgrade.
The second recommendation is to address the issue with SE being used for encryption. If the recipient's key is updated, even if the sender is using an older version of Symantec Encryption Desktop, SEIP will be used.
For both conditions mentioned above, generating a new encryption key with Symantec Encryption Desktop 10.4.2 HF1 or above will generate a version 4 key that will use SEIP. Note that ADKs will also need updating.
It may be necessary to redistribute the new public keys to third parties.
Decrypting older email messages
Even after generating keys with Symantec Encryption Desktop 10.4.2 HF1 or above and/or upgrading all sending Symantec Encryption Desktop clients to 10.4.2 HF1 or above, encrypted messages sent or received before upgrading will not be able to be decrypted automatically. These messages can be decrypted with PGP Viewer. Note, however, that PGP Viewer does not work correctly with some versions of Outlook.
Encryption Desktop 10.4.2 MP2 and above includes two new policy options:
Turn off Efail protection completely. This option is not recommended.
Allow older messages encrypted with SE to be decrypted automatically while still offering mitigation against direct Efail attacks. This option offers users considerably more convenience at the cost of some additional risk.
If your organization understands these risks and wishes to implement one of these policy options, please contact Technical Support, and ask that your case be advanced to Tier 2 support for assistance in configuring these policy options.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe