LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-19-2018, 03:03 PM   #1
Noobux
LQ Newbie
 
Registered: Nov 2010
Location: Florida
Distribution: Ubuntu 17, RHEL 5,7
Posts: 11

Rep: Reputation: 1
Question Decrypting file attempts to use sub-key and then gives 'No secret key' error.


Using:
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3

I am trying to decrypt a file from a remote site. I exported our key to a file.
gpg <filename> returns: (Key IDs changed)

pub 2048R/656CC421 2018-04-19
sub 2048R/99F89J32 2018-04-19


I sent it to the sender and asked them to import, sign and trust it.

They sent me two different key files. Using gpg <filename> returns:

1. pub 2048R/62568LK1 2015-09-03

2. pub 2048R/J561VE25 2015-09-23

If I do an edit-key, I get the following:

My key:

Secret key is available.

pub 2048R/656CC421 created: 2018-04-19 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/99F89J32 created: 2018-04-19 expires: never usage: E
[ultimate] (1).


Their keys:

1. pub 2048R/62568LK1 created: 2015-09-23 expires: never usage: SCE
trust: full validity: full
[ full ] (1).

2. pub 2048R/99F89J32 created: 2015-09-03 expires: never usage: SC
trust: full validity: full
[ full ] (1).


I am running the decrypt command in a bash script with the following parameters.

echo $passphrase | /usr/bin/gpg --verbose --passphrase-fd 0 --no-tty --output $output_file --recipient myuser --decrypt $input_file

Following is the output of the command:

Version: GnuPG v1.2.4 (MingW32)
gpg: armor header:
gpg: public key is 99F89J32
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: cancelled by user
gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19
"usrname (Description) <usrname@domain.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key


My conclusion from all of this is that the sender needs to send me their public key in the same format that I sent to them. Such as:

pub 2048R/J561VE25 2015-09-23
sub 2048R/SOM3NUMB 2015-09-23

My thought it that the key files they sent me don't have the corresponding pub/sub and therefore gpg can't validate because I only have one part of their keypair's information.

Can anyone tell me if I'm wrong in this or if my thoughts are correct?

Thanks,
Noob
 
Old 07-20-2018, 08:33 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,515
Blog Entries: 15

Rep: Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470
The other side encrypts with YOUR public key. You decrypt with YOUR private/secret key.

The output shows they did encrypt with the key and subkey you sent. It is saying YOU don't have YOUR secret key.

Run "gpg -k" to see the public keys you have imported.

Run "gpg -K" to see the private keys you have imported.

If you don't see a private key you need to import it to your secret key ring. Your private key should have been created at the same time as you created your public key.

You would only need their public key to encrypt file for them. Note THEY can encrypt and sign with their public key at the same time as they encrypt with YOUR public key but that is only so they can also decrypt with their private key. They can't decrypt otherwise as they don't have (hopefully) YOUR private key. That is to say there is no requirement that they encrypt with their key at the same time as they encrypt with your key.

Similarly if you were sending files to them you would encrypt with THEIR public key and would not have THEIR private key. If you wanted to be able to decrypt a file you were sending to them you'd encrypt with both THEIR key and YOUR key.
 
Old 07-25-2018, 10:19 AM   #3
Noobux
LQ Newbie
 
Registered: Nov 2010
Location: Florida
Distribution: Ubuntu 17, RHEL 5,7
Posts: 11

Original Poster
Rep: Reputation: 1
Post

Thanks for the feedback, but I do have my private key. It was created/imported when the key pair was created. See below:

Code:
>gpg -K
/home/myuser/.gnupg/secring.gpg
---------------------------------
sec   2048R/656CC421 2018-04-19
uid                  myuser (Encryption Key Testing) <myuser@thisdomain.com>
ssb   2048R/99F89J32 2018-04-19
 
Old 07-25-2018, 10:31 AM   #4
Noobux
LQ Newbie
 
Registered: Nov 2010
Location: Florida
Distribution: Ubuntu 17, RHEL 5,7
Posts: 11

Original Poster
Rep: Reputation: 1
I believe the problem isn't with the decryption, but with the validation of their key.

If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?

The key I exported and sent to them clearly has both pieces, so when I encrypt to them, because they signed my key, the keys can be validated.

The key I got from them doesn't contain both the pub and sub pieces. So when gpg tries to validate it reads the encrypted file, finds their key pair info, but only finds the public part of the info in my key ring. So their private/secret key info is missing and it fails validation.

At least that's how I understand the process.

Thoughts?
 
Old 07-25-2018, 07:04 PM   #5
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,387

Rep: Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553Reputation: 1553
Quote:
gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19
"usrname (Description) <usrname@domain.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key
This probably means usrname encrypted using their own public key instead of yours.

Quote:
If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?
You should never need anybody else's private key, and nobody should ever need yours. Note that a sub key is another key pair, it has both a public and a private key.
 
1 members found this post helpful.
Old 08-08-2018, 04:16 PM   #6
Noobux
LQ Newbie
 
Registered: Nov 2010
Location: Florida
Distribution: Ubuntu 17, RHEL 5,7
Posts: 11

Original Poster
Rep: Reputation: 1
Thumbs up Solution

So, I thought I'd follow up with what we eventually got to as the solution to the problem.

There were two things that were wrong in our configuration.
1. We needed to set pinentry-program /usr/bin/pinentry-curses in the gpg-agent.conf.

2. The script writer of the decrypt script needed to add --batch to his command line.
Once we did that, gpg was able to find the secret key and decrypt.

Thanks to those who replied. Your time and effort are appreciated.
 
1 members found this post helpful.
  


Reply

Tags
decryption, gpg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] LUKS - Is that key-slot a pass phrase or a key file? taylorkh Linux - Security 3 02-07-2017 08:47 AM
[SOLVED] gpg - Can't check signature: public key not found when decrypting file ilesterg Linux - Security 3 02-12-2014 10:52 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
GPG Data, Secret Key but no Public Key? Aeiri Linux - Software 5 07-20-2004 07:00 PM
No secret key found - KGPG? gitarted Linux - Newbie 1 09-09-2003 01:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration