E-Business Server:ERROR: Key cannot be used for encryption
ERROR: Key cannot be used for encryption
Technical Articles ID: SDSKB5
Environment
McAfee E-Business Server 7.x and 8.x for cause 1. For cause 2, EBS 7.6 and earlier, EBS 8.7 and earlier.
Problem The following error may be generated with E-Business Server when you attempt to encrypt a file:
event 1: initial
event 3: error -11493
Error: key cannot be used for encryption
event 2: final
error encrypting file.
Key cannot be used for encryption
exitcode = 22 may also be generated.
Cause 1 You are attempting to use a sign only key or a signing subkey for encryption.. To determine if a key is sign only, run the –key-list command to view the keys. A sign only key will have only a DSS field, where an encryption key will have a DSS field with a DH field below it. Below is an example of a sign on ly key (called signonly) and of a standard public key (gary test).
Alg Type Size Flags Key ID User ID --- ---- --------- ------- ---------- ------- DSS pair 1024 [VI---] 0x243DCBDE signonly DSS pub 2048/2048 [-----] 0x21BA1EA3 gary test (test)
Solution 1 Use an encryption key or remove the signing subkey.
Cause 2 The key is a DSA (Digital Signature Algorithm) key with a Signing Keysize greater than 1024. McAfee E-Business Server does not currently support the 2048 or 3072 key sizes.
If this is the cause, when you view the Key Details, the Cipher may be listed as Unknown:
Cipher: UNKNOWN
Note that other issues such as an unknown / unsupported hash, may result in Cipher: Unknown, so this by itself does not indicate that the key uses DSA 2048. However, “Key cannot be used for encryption” combined with the UNKNOWN Cipher is a strong indication. You can use a program such as pgpdump to learn more. To use pgpdump, export the key using ascii armor, then copy and paste into the pgpdump window. Pgpdump is available free at http://www.pgpdump.net/. Pgpdump is not maintained by SDS, and SDS is not responsible for any errors, nor does SDS guarantee that the site will always be there. That said, I use it all the time.
Solution 2
Recreate the DSA key with a Signing Keysize equal to 1024. EBS 7.7 and 8.8 will support DSA 2048 signing keys. Upgrade to these releases when they become available.