Re: "gpg: decryption failed: No secret key" after export-import to another host
Thank you anon85786376!! -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg: decryption failed: No secret key" after export-import to another host
‐‐‐ Original Message ‐‐‐ On Sunday, June 6, 2021 2:24 PM, sergio via Gnupg-users wrote: > I found the sequence to reproduce my problem: > > $ rm -rf .gnupg > $ gpg --gen-key --batch < %echo Generating a 25519 key > Key-Type: eddsa > Key-Curve: Ed25519 > Key-Usage: cert > Subkey-Type: ecdh > Subkey-Curve: Ed25519 The problem is the subkey curve being ed25519. It will not import correctly. For an encryption subkey you must use "Subkey-Curve: cv25519". See: https://dev.gnupg.org/T5401 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg: decryption failed: No secret key" after export-import to another host
I found the sequence to reproduce my problem: $ rm -rf .gnupg $ gpg --gen-key --batch <gpg: revocation certificate stored as '/home/test/.gnupg/openpgp-revocs.d/268017E33AFCBAD119C2FB626C6DB60F0545821C.rev' gpg: done $ gpg -K gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u /home/test/.gnupg/pubring.kbx - sec ed25519 2021-06-06 [C] 268017E33AFCBAD119C2FB626C6DB60F0545821C uid [ultimate] test ssb ed25519 2021-06-06 [E] $ echo test | gpg --encrypt --recipient t...@test.com | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID 683197C0DF776EC0, created 2021-06-06 "test " test $ gpg --export-secret-keys -a > keys.asc $ rm -rf .gnupg $ gpg --import --trust-model always keys.asc gpg: directory '/home/test/.gnupg' created gpg: keybox '/home/test/.gnupg/pubring.kbx' created gpg: key 6C6DB60F0545821C: public key "test " imported gpg: key 6C6DB60F0545821C: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ gpg -K gpg: /home/test/.gnupg/trustdb.gpg: trustdb created /home/test/.gnupg/pubring.kbx - sec ed25519 2021-06-06 [C] 268017E33AFCBAD119C2FB626C6DB60F0545821C uid [ unknown] test ssb# ed25519 2021-06-06 [E] $ echo test | gpg --encrypt --recipient t...@test.com | gpg --decrypt gpg: 683197C0DF776EC0: There is no assurance this key belongs to the named user sub ed25519/683197C0DF776EC0 2021-06-06 test Primary key fingerprint: 2680 17E3 3AFC BAD1 19C2 FB62 6C6D B60F 0545 821C Subkey fingerprint: C0E4 F2BE 8532 1C1A 3777 8963 6831 97C0 DF77 6EC0 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y gpg: encrypted with 256-bit ECDH key, ID 683197C0DF776EC0, created 2021-06-06 "test " gpg: decryption failed: No secret key $ Is this a gnupg bug or I'm doing something wrong? -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg: decryption failed: No secret key" after export-import to another host
I tried the same sequence on the same host A but for new test user with clean ~/.gnupg without success. Could you help me to debug this, please. -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg: decryption failed: No secret key" after export-import to another host
> --export-secret-keys Sorry, this is a typo, or course. And to be absolutely sure, I re-checked: B $ gpg --import secret.key gpg: key : public key "name (comment) " imported gpg: key : secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1 gpg: secret keys unchanged: 1 -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: "gpg: decryption failed: No secret key" after export-import to another host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, have a look at the manpage at --export-secret-keys: "Same as --export, but exports the secret keys instead. ..." regards, Erich On Thu, 20 May 2021, sergio via Gnupg-users wrote: I have generated a key on host A and it works fine: A $ echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "Name (comment) " test I copied it to host B: A $ gpg --armor --export > private.key A $ scp private.key B: B $ gpg --import private.key But it doesn't work on B: B % echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "name (comment) " gpg: decryption failed: No secret key gpg version is the same on both hosts: 2.2.27-2 from debian sid $ gpg --list-secret-keys --with-subkey-fingerprint show the same key on both hosts -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmCmUfwACgkQCu7JB1Xa e1oSqg/9EepKvPziEfCmyDFe/4DIfkilsYWGqIOmXuKZyyykxXqBegyxAgZ8p3BK aqkzq/lS9IgB0AiyZ9whFRH1q9rVXfZwmfxjN4eEkz4dkrNaPSGk9OlWC2l4ZM1n Nxld2teVd6zbXFZiOCWXqpgLTj9tzY1Jv3bKyYa03NmIzTS3aI5nd9ES9je/veiO +t9Ytii18nsNApj8VgFqT4Q/5Ie3hu2VYHcCx/tdjNe+biZsEUAmPl1hY4Z/Rhko e5q8WRJzybnaPBX0llWkZ6G6cYHxAlIytmLjlSWAsLbCbd0/WwOQcdwqlBLM9sUg dq1EE5FXJNlqwhZ+xzYqSvmYfrS0Hzp+j4FCBiM8I1g0aWQzfGD5RDD2SLm1JD8z 5pjs9dfAv0IwlXjoZ5t3cflqHp0Q+BUXgJigGIwNs9LYwsdreNEv2FqA0Rc0gW3j F6MsfI4hfeLAY/cwr5LyDB/UOjl5p4i83Z8DmVbQYZfhnuhAwq07yHcXIae9iy3s taNpurM+4QJchtq7Xs+MgyvZtATb9Kc1XduAgQ1U50Lepm5ppS4orh13d8qyk8P0 um2J+MpvxJILIlHxBPwF7cLYA/N++4+9FlOlHNH/S9SPyYBFaa4OviKCPoWrNr7L 3r9dMdiF89CCYF8frRF/qW0+weBPR+ePTwa9cRXm81innUQHeZM= =uft7 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
"gpg: decryption failed: No secret key" after export-import to another host
I have generated a key on host A and it works fine: A $ echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "Name (comment) " test I copied it to host B: A $ gpg --armor --export > private.key A $ scp private.key B: B $ gpg --import private.key But it doesn't work on B: B % echo test | gpg --encrypt --recipient | gpg --decrypt gpg: encrypted with 256-bit ECDH key, ID , created "name (comment) " gpg: decryption failed: No secret key gpg version is the same on both hosts: 2.2.27-2 from debian sid $ gpg --list-secret-keys --with-subkey-fingerprint show the same key on both hosts -- sergio. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hi. Am Mittwoch, den 08.08.2018, 00:03 -0400 schrieb Yu: > WOW! That works. > > To document this, if anyone ever run into this situation: > > > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: > > never > > This is the key I need to delete from the card/yubikey. > > 1. gpg --delete-key 0xC9E7221DAFCE6539 > > 2. gpg --card-status should return NONE and gpg --list-keys would > return > gpg: no ultimately trusted keys found > > 3. pull out the card > > 4. run gpg --import PUBLIC_KEY_FILE > > 5. insert the card > > 6. gpg --card-status > > 7. now try to encrypt and decrypt (you will be prompted to enter your > PIN > to unlock your card). > > Thank you Dirk! You're welcome. This is, AFAIK, also somewhere deep inside the docs. Just to make things clear. The user information, UID and so on, is in the public part of the key, AFAIK. This means, to map the secret key to it's ither data, you must have the public key in your keyring. The -- card-status reads the information oin the card and maps the key to the public part using the Fingerprint, I think. In my case, when I use one of my cards, where the fetch URL is not set, I download the keys from the keyserver with "--recv-keys" and then I read the card with "--card-status". But in general, I prefer the way using the fetch URL. It's faster to make "--card-edit" and just use fetch. This comines both funcrions. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
WOW! That works. To document this, if anyone ever run into this situation: > sec# rsa4096/0xC9E7221DAFCE6539 created: 2018-08-07 expires: never This is the key I need to delete from the card/yubikey. 1. gpg --delete-key 0xC9E7221DAFCE6539 2. gpg --card-status should return NONE and gpg --list-keys would return gpg: no ultimately trusted keys found 3. pull out the card 4. run gpg --import PUBLIC_KEY_FILE 5. insert the card 6. gpg --card-status 7. now try to encrypt and decrypt (you will be prompted to enter your PIN to unlock your card). Thank you Dirk! On Tue, Aug 7, 2018 at 7:59 PM Dirk Gottschalk < dirk.gottschalk1...@googlemail.com> wrote: > Hi. > > Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > > Hi Dirk > > > Thank you very much. I just want to make sure I am doing the right > > thing, > > so please excuse me if I am asking too much. > > > > You should delete the complete secret key set from you keyring. > > Then > > > import the PUBLIC keys for the card keys and then do a gpg --card- > > > status. > > > > > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > > the > > --list-secret-keys output? > > You have just to delete the keys, which are stored on the card. > Deleteing the master key of them also deletes the sub keys. > > > > > If you set a fetch URL, you could also make --card-edit and issue a > > > fetch command. > > > > > > > I have not :/ > > That's no problem at all. Then you have to imnport the public key of > the card key BEFORE you insert the card and make --card-status. Only > then the card is recognised and the stubs are generated automatically. > > If the public keys are not in your public keyring, the card keys are > ignored. > > Regards, > Dirk > > -- > Dirk Gottschalk > Paulusstrasse 6-8 > 52064 Aachen, Germany > > GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 > Keybase.io: https://keybase.io/dgottschalk > GitHub: https://github.com/Dirk1980ac > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hi. Am Dienstag, den 07.08.2018, 19:38 -0400 schrieb Yu: > Hi Dirk > Thank you very much. I just want to make sure I am doing the right > thing, > so please excuse me if I am asking too much. > > You should delete the complete secret key set from you keyring. > Then > > import the PUBLIC keys for the card keys and then do a gpg --card- > > status. > > > > > > Do I just call "gpg delete-secret-key ID" for each key ID listed in > the > --list-secret-keys output? You have just to delete the keys, which are stored on the card. Deleteing the master key of them also deletes the sub keys. > > If you set a fetch URL, you could also make --card-edit and issue a > > fetch command. > > > > I have not :/ That's no problem at all. Then you have to imnport the public key of the card key BEFORE you insert the card and make --card-status. Only then the card is recognised and the stubs are generated automatically. If the public keys are not in your public keyring, the card keys are ignored. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hi Dirk Thank you very much. I just want to make sure I am doing the right thing, so please excuse me if I am asking too much. You should delete the complete secret key set from you keyring. Then > import the PUBLIC keys for the card keys and then do a gpg --card- > status. > > Do I just call "gpg delete-secret-key ID" for each key ID listed in the --list-secret-keys output? > If you set a fetch URL, you could also make --card-edit and issue a > fetch command. > I have not :/ Thanks, John ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg: decryption failed: No secret key
Hello John. Am Dienstag, den 07.08.2018, 16:27 -0400 schrieb Yu: > Hi > > I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have > the > master key and subkeys. So my authentication key, encryption key, and > signing key should be totally fine. > > John-Wong:tmp jwong$ gpg --list-secret-keys > /Users/jwong/.gnupg/pubring.kbx > --- > sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] > Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE > 6539 > uid [ultimate] John Wong > ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] > ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] > ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] > The # indicates, that the Keys are not available in the keyring. > I am confused why I get this message: > > gpg: decryption failed: No secret key > I tried gpg --import but still doesn't help. > > John-Wong:~ jwong$ gpg --import mastersub.key > gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed > gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card- > status > gpg: key 0xC9E7221DAFCE6539: secret key imported > gpg: Total number processed: 1 > gpg: unchanged: 1 > gpg: secret keys read: > > > Does anyone have any ideas for why this is happening? Thank you very > much. > This has been bothering me for few days now. You should delete the complete secret key set from you keyring. Then import the PUBLIC keys for the card keys and then do a gpg --card- status. Importing stubs is completely senseless, in my eyes. If you set a fetch URL, you could also make --card-edit and issue a fetch command. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: decryption failed: No secret key
Hi I setup my gpg and keyed to Yubikey. My SSH works flawlessly. I have the master key and subkeys. So my authentication key, encryption key, and signing key should be totally fine. John-Wong:tmp jwong$ gpg --list-secret-keys /Users/jwong/.gnupg/pubring.kbx --- sec# rsa4096/0xC9E7221DAFCE6539 2018-08-07 [SC] Key fingerprint = 463F FBF9 0399 725F 240E 7A11 C9E7 221D AFCE 6539 uid [ultimate] John Wong ssb# rsa4096/0xF7254D474BF6AD14 2018-08-07 [S] ssb# rsa4096/0xBAB7FE8D803C2351 2018-08-07 [E] ssb> rsa4096/0x676CA8641A239FE2 2018-08-07 [SA] I am confused why I get this message: gpg: decryption failed: No secret key I tried gpg --import but still doesn't help. John-Wong:~ jwong$ gpg --import mastersub.key gpg: key 0xC9E7221DAFCE6539: "John Wong " not changed gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status gpg: key 0xC9E7221DAFCE6539: secret key imported gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: Does anyone have any ideas for why this is happening? Thank you very much. This has been bothering me for few days now. John ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg: decryption failed: No secret key
I'm trying to decrypt a message using KMail and gpg and it fails. I then tried to manually decrypt the encrypted part and this is what I got: $ gpg -v -d test gpg: using character set `US-ASCII' Warning: using insecure memory! gpg: armor: BEGIN PGP MESSAGE Version: GnuPG v2.0.9 (FreeBSD) :pubkey enc packet: version 3, algo 16, keyid 72F9D3DCCF8503BE data: [2046 bits] data: [2048 bits] gpg: armor header: gpg: public key is CF8503BE :encrypted data packet: length: unknown gpg: encrypted with ELG key, ID CF8503BE gpg: decryption failed: No secret key I'm wondering what the error No secret key means? Am I trying to decrypt the message with the wrong key? Or have I broken my gpg setup? -- Joe Demeny ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users