Troubleshooting PGP issues

When sending or receiving PGP encrypted files, the most common problem is mismatched PGP keys: the file was not encrypted with the public key that goes with the private key that decrypts it.

For imported files, the file should be encrypted with one of the Medallia public PGP keys. Using a decryption tool (like the GNU Privacy Guard gpg tool), try to decrypt the file. The decryption will fail, but the failure message will report the user ID of the public key. Medallia public keys include "Medallia" in the ID. If you do not see "Medallia" in the ID, the file was not encrypted with a Medallia public key.

$ gpg --decrypt encryptedFilename1.pgp
gpg: encrypted with 2048-bit RSA key, ID: 90ED3DC739CC616E, created 2016-12-02 "Medallia Express (2048-bit)"
gpg: decryption failed: No secret key

$ gpg --decrypt encryptedFilename2.csv.pgp
gpg: encrypted with 2048-bit ELG key, ID F26BE770EB609BE6, created 2017-04-18 "Medallia <admin@medallia.com>"
gpg: decryption failed: No secret key

Unexpected error: No such file or directory and No secret key

When first setting up and using PGP it is possible to see a "No such file or directory" error, similar to this:

Unexpected error: [gpg: keyblock resource `/express/workdir/shared/gnupg/secring.gpg': No such file or directory, gpg: keyblock resource `/express/workdir/shared/gnupg/pubring.gpg': No such file or directory, gpg: encrypted with RSA key, ID 99999999, gpg: decryption failed: No secret key]

In this scenario, contact Support for assistance in getting this set up on your instance. See Contact Medallia Support for help.

Incompatible encryption key warning

When exporting files, it is possible to see a warning message that begins:

The encryption key for [EXPORT NAME] is incompatible …

Contact Support for guidance on what might be wrong with the key. Include the actual key itself in the request. See Contact Medallia Support for help.

Encryption failed: no suitable encryption key found

When first setting up and using PGP, it is possible to see a "incompatible encryption key set" error, similar to this:

The encryption key set is incompatible with the new PGP library that will be enabled in the future. Upgrade this key as soon as possible to prevent future functionality impact. Details: Encryption failed: no suitable encryption key found.

This happens when the PGP-key-generation mechanism uses a non-best-practice approach to PGP key generation — like using keys without valid subkeys with the expected key flags — which may be flagged by our libraries.

Note that compatible keys have a subkey with an "encryption" usage flag:

pub   rsa2048 2016-12-02 [SC]
      41E66CAAD5FB183B05A200C73B1B0512301EE92A
uid           [ultimate] Medallia Experience Cloud (Hosted 2048-bit) <admin@medallia.com>
uid           [ultimate] Medallia Express (2048-bit)
sub   rsa2048 2016-12-02 [E]
      413AB33D9713482A13BD09409DED3DC739CC616E

Contact Support for guidance on what might be wrong with the key. See Contact Medallia Support for help.

Decryption failed: format error in ASCII Armor file

When you share an encrypted file that (1) is encoded in ASCII Armor, (2) has blank contents when decrypted, and (3) has a format error in the ASCII Armor file, the decryption process fails, even though it would otherwise pass if the file is not blank.

The key factors in this scenario are:

The blank contents
The format error

Do not send blank text files for testing purposes, send "this is a test" so we can see the contents of the file.

We recommend that you use PGP binary data encoding rather than the ASCII Armor encoding, as the binary data encoding is harder to misformat and is more storage-efficient.

Enhance SFTP security with passphrases

Although not all Experience Cloud modules require the use of passphrases for SFTP private keys, some do. Given that passphrases enhance security, we recommend incorporating passphrases for all newly generated private keys and appending them to any pre-existing ones.