Skip to main content

Troubleshooting GPG

GPG Key is Expired

When a GPG key for your account is about to expire, you will receive an automated email notification from Files.com titled Failures/Events that may need your attention.

When a key that is used for auto-encryption or auto-decryption has expired, uploads to the affected folders will be disabled until the key is replaced.

To resolve an expired GPG key issue in Files.com, use the appropriate GPG/PGP utility to update the expiration date for your key. Export the updated key. Disable the auto-encryption/decryption setting that is using the expired key. Re-enable Encryption or Decryption using your updated key.

Modification Detection Code (MDC) Error

Files encrypted by PGP or GPG should include a Modification Detection Code (MDC) which is used to confirm the integrity of the file.

In current and modern versions of PGP and GPG (version 7 onwards), the MDC is included by default. Older versions (version 6 and earlier) did not include the MDC by default, but allowed it to be optionally added.

If you receive a PGP or GPG encrypted file that does not include the MDC then you will see the following error message in the logs and site alert emails:

File is gpg encrypted but is missing modification detection code (MDC): path/to/folder/encrypted_file.txt.pgp

This error means that the integrity of the file cannot be confirmed, and should be a cause for concern if data security is important to you.

If you are willing to accept receiving GPG files which cannot have their integrity checked, then you can enable the Ignore MDC integrity check option for file decryption to bypass this check.

You can also contact your counterparty and ask them to include the MDC, if possible, when encrypting files. If your counterparty is using GPG to encrypt the file then they should use version 7 or later, which includes the MDC by default, or use the --force-mdc flag with older GPG versions to enforce the inclusion of the MDC.

Key Import Errors

The following errors are the most common when importing GPG keys incorrectly.

Key Has Expired

This error indicates that you are attempting to import an expired key.

An import error message of contains an invalid public key: key has expired indicates that the public key is expired. Expired public keys cannot be used to encrypt data and cannot be imported. Contact the key's provider and ask for a replacement unexpired key.

An import error message of contains an invalid private key: key has expired indicates that the private key is expired. Expired private keys cannot be used to sign or decrypt data and cannot be imported. Contact the key's provider and ask for a replacement unexpired key.

Password is Missing

The contains an invalid private key: Private key password is missing error message indicates that the private key you are attempting to import requires a password (passphrase) but you didn't provide the password.

Provide the password (passphrase) that was used to protect the private key.

Incorrect Private Key Password

The contains an invalid private key: Incorrect private key password error message indicates that the private key you are attempting to import requires a password (passphrase) but you didn't provide the correct one.

Provide the correct password (passphrase) that was used to protect the private key.

Password Not Required

The contains an invalid private key: Password present but private key does not require one error message indicates that the private key you are attempting to import does not require a password (passphrase) but you provided one.

Remove the password (passphrase) from the input form and re-try the import again.

Key Mismatch

When importing a key pair, the fingerprints of the public and private keys should match. If the fingerprints don't match then contact the key's provider and ask for a matching key pair.

The public key to private key mismatch error message indicates that you are attempting to import a key pair whose public and private keys do not correspond with each other.

Whenever possible, the error message will include details about the keys including the user ID (key owner) and fingerprint.

Keys are not required to be imported as pairs so you can import public or private keys independently. Only import a key pair together when they are a matching pair.

You can also double-check a key pair mismatch issue using the GPG command line application. Use the command gpg --list-packets <keyfile> to see details about a key. When comparing a private and public key, the output of this command will show matching keyid: and hashed subpkt 33 len 21 entries. If these values differ then the keys are not a matching pair.

Example cropped output for matching keys, showing the relevant sections containing the keyid: and hashed subpkt 33 fingerprint:

% gpg --list-packets PUBLIC_keyfile.pem
# off=0 ctb=c6 tag=6 hlen=3 plen=525 new-ctb
:public key packet:
	...
	keyid: 7EA2B584CEBEE146
# off=528 ctb=cd tag=13 hlen=2 plen=44 new-ctb
:user ID packet: "My Key <my.email@files.com>"
# off=574 ctb=c2 tag=2 hlen=3 plen=586 new-ctb
:signature packet: algo 1, keyid 7EA2B584CEBEE146
	...
	hashed subpkt 33 len 21 (issuer fpr v4 B852EA7705D7875D927681957EA2B584CEBEE146)
	...

% gpg --list-packets PRIVATE_keyfile.pem
# off=0 ctb=c5 tag=5 hlen=3 plen=1816 new-ctb
:secret key packet:
	...
	keyid: 7EA2B584CEBEE146
# off=1819 ctb=cd tag=13 hlen=2 plen=44 new-ctb
:user ID packet: "My Key <my.email@files.com>"
# off=1865 ctb=c2 tag=2 hlen=3 plen=586 new-ctb
:signature packet: algo 1, keyid 7EA2B584CEBEE146
	...
	hashed subpkt 33 len 21 (issuer fpr v4 B852EA7705D7875D927681957EA2B584CEBEE146)
	...

In the above output, the values for keyid: and hashed subpkt 33 len 21 should match for each key. Keys with differing keyid: values, or differing hashed subpkt 33 len 21 values, are not a matched pair.

File Too Large

Currently, files with a size greater than 2 GB are not supported for either encryption or decryption. Make sure that files are smaller in size than 2 GB prior to encryption or decryption.

Partial File

If an encrypted file is partially uploaded, so that an incomplete file has been delivered, then decryption of that file will fail. Make sure that your counterparties upload files completely.

If a file is partially uploaded, so that an incomplete file is being delivered for encryption, then encryption of that file will succeed. However, the encrypted file will only contain the partial file. If you, or your counterparty, decrypt the encrypted file then the original partial file will be successfully output. Make sure to upload the complete file prior to encrypting it.

Error Notifications

Errors encountered while attempting to encrypt or decrypt files will be logged in the Site Alert Emails, which are sent to site administrators that have opted-in to receiving these alerts.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.