[SOLVED] Decrypting file attempts to use sub-key and then gives 'No secret key' error.

Using:
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3

I am trying to decrypt a file from a remote site. I exported our key to a file. gpg <filename> returns: (Key IDs changed)

pub 2048R/656CC421 2018-04-19
sub 2048R/99F89J32 2018-04-19

I sent it to the sender and asked them to import, sign and trust it.

They sent me two different key files. Using gpg <filename> returns:

1. pub 2048R/62568LK1 2015-09-03

2. pub 2048R/J561VE25 2015-09-23

If I do an edit-key, I get the following:

My key:

Secret key is available.

pub 2048R/656CC421 created: 2018-04-19 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048R/99F89J32 created: 2018-04-19 expires: never usage: E
[ultimate] (1).

Their keys:

1. pub 2048R/62568LK1 created: 2015-09-23 expires: never usage: SCE
trust: full validity: full
[ full ] (1).

2. pub 2048R/99F89J32 created: 2015-09-03 expires: never usage: SC
trust: full validity: full
[ full ] (1).

I am running the decrypt command in a bash script with the following parameters.

echo $passphrase | /usr/bin/gpg --verbose --passphrase-fd 0 --no-tty --output $output_file --recipient myuser --decrypt $input_file

Following is the output of the command:

Version: GnuPG v1.2.4 (MingW32)
gpg: armor header:
gpg: public key is 99F89J32
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: using subkey 99F89J32 instead of primary key 656CC421
gpg: cancelled by user
gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19
"usrname (Description) <usrname@domain.com>"
gpg: public key decryption failed: Operation cancelled
gpg: decryption failed: No secret key

My conclusion from all of this is that the sender needs to send me their public key in the same format that I sent to them. Such as:

pub 2048R/J561VE25 2015-09-23
sub 2048R/SOM3NUMB 2015-09-23

My thought it that the key files they sent me don't have the corresponding pub/sub and therefore gpg can't validate because I only have one part of their keypair's information.

Can anyone tell me if I'm wrong in this or if my thoughts are correct?

Thanks,
Noob

The other side encrypts with YOUR public key. You decrypt with YOUR private/secret key.

The output shows they did encrypt with the key and subkey you sent. It is saying YOU don't have YOUR secret key.

Run "gpg -k" to see the public keys you have imported.

Run "gpg -K" to see the private keys you have imported.

If you don't see a private key you need to import it to your secret key ring. Your private key should have been created at the same time as you created your public key.

You would only need their public key to encrypt file for them. Note THEY can encrypt and sign with their public key at the same time as they encrypt with YOUR public key but that is only so they can also decrypt with their private key. They can't decrypt otherwise as they don't have (hopefully) YOUR private key. That is to say there is no requirement that they encrypt with their key at the same time as they encrypt with your key.

Similarly if you were sending files to them you would encrypt with THEIR public key and would not have THEIR private key. If you wanted to be able to decrypt a file you were sending to them you'd encrypt with both THEIR key and YOUR key.

Thanks for the feedback, but I do have my private key. It was created/imported when the key pair was created. See below:

Code:

>gpg -K
/home/myuser/.gnupg/secring.gpg
---------------------------------
sec   2048R/656CC421 2018-04-19
uid                  myuser (Encryption Key Testing) <myuser@thisdomain.com>
ssb   2048R/99F89J32 2018-04-19

I believe the problem isn't with the decryption, but with the validation of their key.

If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?

The key I exported and sent to them clearly has both pieces, so when I encrypt to them, because they signed my key, the keys can be validated.

The key I got from them doesn't contain both the pub and sub pieces. So when gpg tries to validate it reads the encrypted file, finds their key pair info, but only finds the public part of the info in my key ring. So their private/secret key info is missing and it fails validation.

At least that's how I understand the process.

Thoughts?

Quote:

gpg: encrypted with 2048-bit RSA key, ID 99F89J32, created 2018-04-19 "usrname (Description) <usrname@domain.com>" gpg: public key decryption failed: Operation cancelled gpg: decryption failed: No secret key

This probably means usrname encrypted using their own public key instead of yours.

Quote:

If they sign my public key with their private key and then encrypt a file using my key, do I not need both sides of their key pair, their public key, which I've signed (validated) and the ID of their private key (as part of what they exported)?

You should never need anybody else's private key, and nobody should ever need yours. Note that a sub key is another key pair, it has both a public and a private key.

So, I thought I'd follow up with what we eventually got to as the solution to the problem.

There were two things that were wrong in our configuration.

1. We needed to set pinentry-program /usr/bin/pinentry-curses in the gpg-agent.conf.

2. The script writer of the decrypt script needed to add --batch to his command line.

Once we did that, gpg was able to find the secret key and decrypt.

Thanks to those who replied. Your time and effort are appreciated.

This issue does indeed have to do with gpg-agent and is addressed at the beginning of its man page.

Code:

      You should always add the following lines to your .bashrc or whatever initialization file is used for all shell invocations:

         GPG_TTY=$(tty)
         export GPG_TTY

       It is important that this environment variable always reflects the output of the tty command.  For W32 systems this option is not required.