Symantec Encryption Management Server 3.4.2 HF1 and above
If you double click on the *.pgp file from Windows File Explorer the error is:
The PGP Zip may be corrupt. (-10800)
If you right click on the *.pgp file from Windows File Explorer and use the Symantec Encryption Desktop context menu to Decrypt & Verify the error is:
An error has occurred: PGPError #-10800
Starting with Symantec Encryption Desktop 10.4.2 MP3 a new error message appears, but the issue and solution are still the same.
Decryption blocked. The file that you are trying to decrypt is not secure becasuse it is not encrypted using SEIP (Symmetrically Encrypted Integrity Protected) packets.
Encryption Desktop 10.4.2 HF1 and above protects against the EFAIL vulnerability. This causes decryption failures with PGP Zip files created with previous releases that used SE Packets for Encryption.
As part of these security features, we will only decrypt PGPzip files if they include SEIP packets instead of SE packets. The SEIP Packets include an additional Integrity Protection feature, which further protects from the Efail vulnerability.
When encrypting with Encryption Desktop 10.4.2 HF1 and above, it will enforce the use of SEIP packets regardless of the key(s) used.
For Encryption Desktop versions below 10.4.2 HF1, there are two conditions in which files would be encrypted using the SE packets instead of the more secure SEIP packets. Both involve keys that would be considered to be old and/or deprecated, especially with the discovery of the Efail vulnerability.
The Key(s) used to encrypt the files are an older Version 3 key. The current standard is to use Version 4 keys.
The key is Version 4 key, but the preferred cipher is set to something other than AES, and it is missing a Modification Detection flag.
Again, these conditions do not affect files encrypted by an Encryption Desktop client version 10.4.2 HF1 or above, which will use the more secure SEIP packets for PGPzip files.
Symantec first recommends that all encrypting clients be upgraded to 10.4.2 HF1 or above, so that SEIP packets will be used regardless of the key settings. With the issue being the version of the key the sender is using, we understand it may not be possible to force senders to upgrade.
The second recommendation is to address the issue with the keys being used for encryption, which use the old SE Packets. The recipient's key can then be updated so that even if the sender is using an older version of Symantec Encryption Desktop, the SEIP packets will still be used.
For both conditions mentioned above, generating a new encryption key with Symantec Encryption Desktop 10.4.2 HF1 or above will generate a proper V4 key that will use the more secure SEIP packets. Be sure to check any ADK's used as well as the user keys, which may also have this condition present.
It may be necessary to redistribute the public keys to senders so the new keys can be used, which will not run into any of the conditions mentioned.
Further Considerations Even after generating keys with Symantec Encryption Desktop 10.4.2 HF1 or above and/or upgrading all sending Symantec Encryption Desktop clients to 10.4.2 HF1 or above, old files will still not be able to be decrypted.
In Symantec Encryption Desktop HF1 or above, additional options have been made available to allow these PGP zips to be decrypted that used the deprecated SE Packets. Using these options will allow the SE packet Integrity Protection to be bypassed, which will disable the effectiveness of the security features we put in place to protect you from the Efail vulnerability.
If your organization understands these risks, and still needs to have access to those older PGP zip files, please contact Technical Support, and ask that your case be advanced to Backline (Tier 2) support for assistance in setting these options.
Subscribing will provide email updates when this Article is updated. Login is required.