E-Business Server:ERROR: Key cannot be used for encryption
ERROR: Key cannot be used for encryption
Technical Articles ID: SDSKB5
Environment
SDS E-Business Server 7.x and 8.x for cause 1. For cause 2, EBS 7.6 and earlier, EBS 8.7 and earlier.
Problem
The following error may be generated with E-Business Server when you attempt to encrypt a file:
event 1: initial
event 3: error -11493
Error: key cannot be used for encryption
event 2: final
error encrypting file.
Key cannot be used for encryption
exitcode = 22 may also be generated.
Cause 1
You are attempting to use a sign only key or a signing subkey for encryption.. To determine if a key is sign only, run the –key-list command to view the keys. A sign only key will have only a DSS field, where an encryption key will have a DSS field with a DH field below it. Below is an example of a sign only key (called signonly) and of a standard public key (gary test).
Alg Type Size Flags Key ID User ID --- ---- --------- ------- ---------- ------- DSS pair 1024 [VI---] 0x243DCBDE signonly DSS pub 2048/2048 [-----] 0x21BA1EA3 gary test (test)
Solution 1 Use an encryption key or remove the signing subkey.
Cause 2
The key is a DSA (Digital Signature Algorithm) key with a Signing Keysize greater than 1024. SDS E-Business Server 8.7.0/7.6.x, and earlier, do not support the 2048 or 3072 key sizes.
If this is the cause, when you view the Key Details, the Cipher may be listed as Unknown:
Cipher: UNKNOWN
Note that other issues such as an unknown / unsupported hash, may result in Cipher: Unknown, so this by itself does not indicate that the key uses DSA 2048. However, “Key cannot be used for encryption” combined with the UNKNOWN Cipher is a strong indication.
Solution 2
Recreate the DSA key with a Signing Keysize equal to 1024 or Upgrade to the latest release of EBS. E-Business Server 7.7.1 and 8.8.1 support DSA 2048 signing keys and are currently available for download.