[SOLVED] Decrypting file attempts to use sub-key and then gives 'No secret key' error.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Version: GnuPG v1.2.4 (MingW32)
gpg: armor header:
gpg: public key is 99F89J32
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: cancelled by user
gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19
"usrname (Description) <usrname@domain.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
My conclusion from all of this is that the sender needs to send me their public key in the same format that I sent to them. Such as:
pub 2048R/J561VE25 2015-09-23
sub 2048R/SOM3NUMB 2015-09-23
My thought it that the key files they sent me don't have the corresponding pub/sub and therefore gpg can't validate because I only have one part of their keypair's information.
Can anyone tell me if I'm wrong in this or if my thoughts are correct?
The other side encrypts with YOUR public key. You decrypt with YOUR private/secret key.
The output shows they did encrypt with the key and subkey you sent. It is saying YOU don't have YOUR secret key.
Run "gpg -k" to see the public keys you have imported.
Run "gpg -K" to see the private keys you have imported.
If you don't see a private key you need to import it to your secret key ring. Your private key should have been created at the same time as you created your public key.
You would only need their public key to encrypt file for them. Note THEY can encrypt and sign with their public key at the same time as they encrypt with YOUR public key but that is only so they can also decrypt with their private key. They can't decrypt otherwise as they don't have (hopefully) YOUR private key. That is to say there is no requirement that they encrypt with their key at the same time as they encrypt with your key.
Similarly if you were sending files to them you would encrypt with THEIR public key and would not have THEIR private key. If you wanted to be able to decrypt a file you were sending to them you'd encrypt with both THEIR key and YOUR key.
I believe the problem isn't with the decryption, but with the validation of their key.
If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?
The key I exported and sent to them clearly has both pieces, so when I encrypt to them, because they signed my key, the keys can be validated.
The key I got from them doesn't contain both the pub and sub pieces. So when gpg tries to validate it reads the encrypted file, finds their key pair info, but only finds the public part of the info in my key ring. So their private/secret key info is missing and it fails validation.
gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19
"usrname (Description) <usrname@domain.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
This probably means usrname encrypted using their own public key instead of yours.
Quote:
If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?
You should never need anybody else's private key, and nobody should ever need yours. Note that a sub key is another key pair, it has both a public and a private key.
This issue does indeed have to do with gpg-agent and is addressed at the beginning of its man page.
Code:
You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:
GPG_TTY=$(tty)
export GPG_TTY
It is important that this environment variable always reflects the output of the tty command. For W32 systems this option is not required.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.