File Share Encryption

Hi alltogether, hope you can share some thoughts with me?!

I have a customer doing an upgrade from 10.5.0 MP2 to 10.5.1 MP2 due to client OS reqs. Upgrade seemed to be fine but on clients they see massive amounts of "Unknow key, Key ID is 0x....." 

• Only module used is fileshare encryption
• Clients stayed at the old version 
• Windows 10 in use / Windows fileservices
• When we query for the key-IDs they are all not found on the management server. 
• When we revert the installation back to the old version (via VM snapshot) the keys are correctly shown but have different IDs.
• User keys are GKM (partly very old keys, set to never expire since 10 years or so)
• they use a ssl cert from their own CA - Root and sub have been correctly uploaded to trusted keys and into the client stores
• just one server in use by now - no alias or loadbalancer used
• Using the data seems to be normal as the users keys are correctly shown but re-encryption does not work based on the unknown keys

someone has a clue? We do not want to re-encrpyt that large amount of folders for around 400 people..

Thanks in advance for all your input

Henning

If you're looking at the details of the Fileshare, it will list all keys the share is encrypted to, whether or not the client can acutally 'see' the keys. If the keys are unknown to the client (not on the local keyring and unable to find them in a keyserver query), then it will list the key as unknown and the keyID.

This largely doesn't matter as long as they have at least one key that has access to the share available to them (keyring or keyserver). Since you're in GKM, your clients should have their own keys local, and should still be able to access any share those users' keys were used to encrypt with.

It sounds like the main problem here is key lookups from your SEMS are not working after upgrade. Start by checking the Client log on the SEMS under Reporting > Logs to see if the key search request is even making it to the server. A successful one will look something like this:

Also make sure your Universal Services Protocol service is running in the Reporting > Overview main page. 

I may also suggest restarting your SEMS gracefully in System > General Settings at the bottom, just to make sure all services are fresh.

-Blake

Hi alltogether, hope you can share some thoughts with me?!

I have a customer doing an upgrade from 10.5.0 MP2 to 10.5.1 MP2 due to client OS reqs. Upgrade seemed to be fine but on clients they see massive amounts of "Unknow key, Key ID is 0x....." 

• Only module used is fileshare encryption
• Clients stayed at the old version 
• Windows 10 in use / Windows fileservices
• When we query for the key-IDs they are all not found on the management server. 
• When we revert the installation back to the old version (via VM snapshot) the keys are correctly shown but have different IDs.
• User keys are GKM (partly very old keys, set to never expire since 10 years or so)
• they use a ssl cert from their own CA - Root and sub have been correctly uploaded to trusted keys and into the client stores
• just one server in use by now - no alias or loadbalancer used
• Using the data seems to be normal as the users keys are correctly shown but re-encryption does not work based on the unknown keys

someone has a clue? We do not want to re-encrpyt that large amount of folders for around 400 people..

Thanks in advance for all your input

Henning

If you're looking at the details of the Fileshare, it will list all keys the share is encrypted to, whether or not the client can acutally 'see' the keys. If the keys are unknown to the client (not on the local keyring and unable to find them in a keyserver query), then it will list the key as unknown and the keyID.

This largely doesn't matter as long as they have at least one key that has access to the share available to them (keyring or keyserver). Since you're in GKM, your clients should have their own keys local, and should still be able to access any share those users' keys were used to encrypt with.

It sounds like the main problem here is key lookups from your SEMS are not working after upgrade. Start by checking the Client log on the SEMS under Reporting > Logs to see if the key search request is even making it to the server. A successful one will look something like this:

Also make sure your Universal Services Protocol service is running in the Reporting > Overview main page. 

I may also suggest restarting your SEMS gracefully in System > General Settings at the bottom, just to make sure all services are fresh.

-Blake

Hi alltogether, hope you can share some thoughts with me?!

I have a customer doing an upgrade from 10.5.0 MP2 to 10.5.1 MP2 due to client OS reqs. Upgrade seemed to be fine but on clients they see massive amounts of "Unknow key, Key ID is 0x....." 

• Only module used is fileshare encryption
• Clients stayed at the old version 
• Windows 10 in use / Windows fileservices
• When we query for the key-IDs they are all not found on the management server. 
• When we revert the installation back to the old version (via VM snapshot) the keys are correctly shown but have different IDs.
• User keys are GKM (partly very old keys, set to never expire since 10 years or so)
• they use a ssl cert from their own CA - Root and sub have been correctly uploaded to trusted keys and into the client stores
• just one server in use by now - no alias or loadbalancer used
• Using the data seems to be normal as the users keys are correctly shown but re-encryption does not work based on the unknown keys

someone has a clue? We do not want to re-encrpyt that large amount of folders for around 400 people..

Thanks in advance for all your input

Henning

Hi Blake, seems to be an error with the keys after the upgrade.. USP-00000: error: corrupt data

If you're looking at the details of the Fileshare, it will list all keys the share is encrypted to, whether or not the client can acutally 'see' the keys. If the keys are unknown to the client (not on the local keyring and unable to find them in a keyserver query), then it will list the key as unknown and the keyID.

This largely doesn't matter as long as they have at least one key that has access to the share available to them (keyring or keyserver). Since you're in GKM, your clients should have their own keys local, and should still be able to access any share those users' keys were used to encrypt with.

It sounds like the main problem here is key lookups from your SEMS are not working after upgrade. Start by checking the Client log on the SEMS under Reporting > Logs to see if the key search request is even making it to the server. A successful one will look something like this:

Also make sure your Universal Services Protocol service is running in the Reporting > Overview main page. 

I may also suggest restarting your SEMS gracefully in System > General Settings at the bottom, just to make sure all services are fresh.

-Blake

Hi alltogether, hope you can share some thoughts with me?!

I have a customer doing an upgrade from 10.5.0 MP2 to 10.5.1 MP2 due to client OS reqs. Upgrade seemed to be fine but on clients they see massive amounts of "Unknow key, Key ID is 0x....." 

• Only module used is fileshare encryption
• Clients stayed at the old version 
• Windows 10 in use / Windows fileservices
• When we query for the key-IDs they are all not found on the management server. 
• When we revert the installation back to the old version (via VM snapshot) the keys are correctly shown but have different IDs.
• User keys are GKM (partly very old keys, set to never expire since 10 years or so)
• they use a ssl cert from their own CA - Root and sub have been correctly uploaded to trusted keys and into the client stores
• just one server in use by now - no alias or loadbalancer used
• Using the data seems to be normal as the users keys are correctly shown but re-encryption does not work based on the unknown keys

someone has a clue? We do not want to re-encrpyt that large amount of folders for around 400 people..

Thanks in advance for all your input

Henning