Itgencce033: System.Security.Cryptography.CryptographicException and "Key not valid for use in specified state" on startup

Problem

After automatic application of Windows patches, you might be confronted with an error on application startup like:

Error itgencce033: Invantive Keychain must be decrypted using a password, but the file can not be decrypted.Please use the Invantive Keychain file with the Windows profile it was created for. Alternatively, rename the Invantive Keychain file 'C:\...\Invantive\invantive.keychain' and rebuild your keychain from scratch.The provided encrypted password cannot be decrypted.Please provide a valid encrypted password.Key not valid for use in specified state.

The details of this error resemble:

Error itgencce033: Exception: System.Security.Cryptography.CryptographicExceptionat System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)...at Invantive.Basics.StrongAsymmetricKey.get_T()at Invantive.Basics.StrongAsymmetricKey.DecryptShortMessageAsByteArray(Byte[] encryptedBytes)...at Invantive.Basics.StrongAsymmetricKey.DecryptAesShortMessageToText(AesTuple aesTuple)

Typically the application runs fine before the Windows patch is applied and the error keeps occurring after application of a Windows patch.

The details of the error do not contain texts like:

  • “The profile for the user is a temporary profile.”

Solution

Invantive products on Windows encrypt several pieces of data such as the license key and the contents of Invantive Keychain using a Windows feature. This encryption is such that the encrypted data can only be decrypted using a key stored on the device itself. In that way, we ensure that it is very hard to unencrypt confidential data when the encrypted data is leaked outside the trusted device.

However, this Windows feature seems either unreliable since the course of 2018 or so hard to understand that our technical staff doesn’t grasp it.

Please follow these steps to solve the problem:

  • Make a backup of the device and ensure that you can restore it.
  • Rollback your device using a backup straight before the Windows patch was installed.
  • When the problem is triggered by the license key as shown in the error message: remove the contents of the tag “EncryptedLicenseKey” from the product-installation-user.settings file of the product or rename the file altogether. After product restart re-enter your license key or request a new one using the Support Portal. Note that the license key does not have to be stored in the settings file. On 17.31.70 and newer releases of Invantive Data Hub you can also specify a parameter “/licensekey:KEY” (see documentation).
  • When the problem is triggered by the Invantive Keychain as shown in the error message: rename the file “invantive.keychain”. Essential confidential data might have been lost. Invantive or dealers can assist you in rebuilding the keychain contents on basis of Time & Material.
  • Advanced analysis features are available for consultants using the Tools menu option “Show Invantive key container files” of Invantive Support Assistant (can run several minutes). Do not use the “Reset” feature of Invantive Support Assistant unless you understand the risks on data loss.

Given the Windows stability issues we have made the use of unencrypted passwords available again with Invantive Data Hub. For the long term, we plan to replace the Windows encryption by a generic encryption already used on Linux: ITGEN-4165

The generic encryption is already available and can be activated by setting the environment variable INVANTIVE_RSA to the value INVANTIVE.