Encryption is failing for the keys generated using power shell script IOT device provisioning service.

Question

Using Powershell script we are trying to generate, rotate, trust and encrypt the DPS keys for IOT device provisioning and also send the encrypted key file to a mail destination. Encryption is failing. Need help on this. Trying this both locally and through Azure DevOps pipeline. but unable to resolve the issue.

Error:

gpg: DPS Keys: skipped: Unusable public key
gpg: keys.txt: encryption failed: Unusable public key

Answer 1

Hello Varsha,

Thank you for your question and for reaching out with your question today.

The error you're encountering indicates that there is an issue with the public key being used for encryption. Here are some steps you can take to troubleshoot and resolve the problem:

1. Check the public key: Ensure that the public key you are using for encryption is valid and correctly formatted. Verify that the key is imported into the keyring or keychain used by the GnuPG (GPG) tool. You can use the gpg --list-keys command to check if the public key is present and usable.
2. Confirm the recipient's key: Make sure that you are using the correct public key for the recipient of the encrypted file. Double-check the key's fingerprint or other identifying information to ensure accuracy.
3. Trust the public key: If you haven't explicitly trusted the public key, GPG may consider it untrusted and refuse to encrypt the file. Use the gpg --edit-key command to access the key and set the trust level to ultimate. For example:

   
      gpg --edit-key [key-id]
   
      trust
   
      5
   
      quit
   
   

4. Ensure proper key encryption: Verify that the GPG command you are using includes the recipient's public key when specifying the --recipient flag. For example:

   
      gpg --encrypt --recipient [recipient-key-id] [file-to-encrypt]
   
   

5. Test encryption locally: Test the encryption process locally on your machine outside of the Azure DevOps pipeline. This will help isolate any potential pipeline-related issues. Use the same GPG command and ensure that the encryption is successful without any errors.
6. Check Azure DevOps pipeline setup: Review your Azure DevOps pipeline configuration to ensure that all necessary tools and dependencies are properly installed and configured. Make sure that GPG is installed and accessible within the pipeline environment. Also, confirm that the appropriate keyrings and keychain directories are accessible and correctly configured.
7. Verify pipeline permissions: Check the permissions of the service principal or user account used in the Azure DevOps pipeline. Ensure that it has the necessary permissions to access the GPG tools, keyrings, and other required resources.
8. Consider using Azure Key Vault: Instead of relying on GPG for encryption, you can consider using Azure Key Vault to store and manage encryption keys securely. Azure Key Vault integrates well with Azure DevOps and provides encryption capabilities that can be easily integrated into your pipelines.

If the issue persists, you may want to provide more specific details about the PowerShell script, GPG command, and pipeline configuration for further assistance. Additionally, consulting the GnuPG documentation, Azure DevOps documentation, or seeking support from Microsoft or the GPG community might be helpful in troubleshooting and resolving the encryption issue.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

If the reply was helpful, please don’t forget to upvote or accept as answer.