E-Business Server:ERROR: Key cannot be used for encryption

From SDS
Jump to navigation Jump to search

ERROR: Key cannot be used for encryption

Technical Articles ID: SDSKB5


SDS E-Business Server 7.x and 8.x for cause 1. For cause 2, EBS 7.6 and earlier, EBS 8.7 and earlier.

Problem The following error may be generated with E-Business Server when you attempt to encrypt a file:

event 1: initial

event 3: error -11493

Error: key cannot be used for encryption

event 2: final

error encrypting file.

Key cannot be used for encryption

exitcode = 22 may also be generated.

Cause 1 You are attempting to use a sign only key or a signing subkey for encryption.. To determine if a key is sign only, run the –key-list command to view the keys. A sign only key will have only a DSS field, where an encryption key will have a DSS field with a DH field below it. Below is an example of a sign only key (called signonly) and of a standard public key (gary test).

Alg Type   Size     Flags    Key ID   User ID

--- ---- --------- ------- ---------- -------

DSS pair 1024     [VI---] 0x243DCBDE signonly

DSS pub 2048/2048 [-----] 0x21BA1EA3 gary test (test)

Solution 1 Use an encryption key or remove the signing subkey.

Cause 2 The key is a DSA (Digital Signature Algorithm) key with a Signing Keysize greater than 1024. SDS E-Business Server 8.7.0/7.6.x, and earlier, do not support the 2048 or 3072 key sizes.

If this is the cause, when you view the Key Details, the Cipher may be listed as Unknown:


Note that other issues such as an unknown / unsupported hash, may result in Cipher: Unknown, so this by itself does not indicate that the key uses DSA 2048. However, “Key cannot be used for encryption” combined with the UNKNOWN Cipher is a strong indication.

Solution 2 Recreate the DSA key with a Signing Keysize equal to 1024 or Upgrade to the latest release of EBS. E-Business Server 7.7.1 and 8.8.1 support DSA 2048 signing keys and are currently available for download.