Mailing List Archive

gpg not able to find my secret key
Hi!

I reinstalled my workstation and moved ~/.gnupg directory from old
machine to new one. Gpg version in both workstations is 2.1.18. The
problem is, that in the new workstation, when I try to decrypt a file,
it doesn't find the secret key:

$ gpg -o .file -d .file.gpg
gpg: encrypted with RSA key, ID 7BA1DFF9E00DF644
gpg: decryption failed: No secret key
$

When I list the secret keys(gpg --list-secret-keys), then the output
is empty. When I start the "gpg --list-secret-keys" with "strace -e
open", then ~/.gnupg/secring.gpg file is not searched. gpg-agent is
not running. When I start the gpg-agent, then it does't change
anything, i.e the "gpg --list-secret-keys" is empty.
Directory and file permissions for ~/.gnupg are the same as in old
installation. I also started both gpg and gpg-agent with
"--debug-level guru" option, but it provided no useful information.
For example:

$ gpg --debug-level guru --list-secret-keys
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache
memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: [not enabled in the source] keydb_new
gpg: DBG: [not enabled in the source] keydb_search_reset
gpg: DBG: keydb_search: reset (hd=0x000055e6f13ce8b0)
gpg: DBG: [not enabled in the source] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search 0: FIRST
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF
gpg: DBG: [not enabled in the source] keydb_search leave (not found)
gpg: DBG: [not enabled in the source] stop
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: secmem usage: 0/65536 bytes in 0 blocks
$

What might cause this?


thanks,
Martin

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg not able to find my secret key [ In reply to ]
Hi,

On 08/23/2018 10:54 AM, Martin T wrote:
> When I start the "gpg --list-secret-keys" with "strace -e open",
> then ~/.gnupg/secring.gpg file is not searched.

GnuPG >= 2.1 does not use ~/.gnupg/secring.gpg anymore. Secret keys are
now stored in the ~/.gnupg/private-keys-v1.d folder (one file per key).

When you say you "moved ~/.gnupg directory from old machine to new one",
did you make sure to include the private-keys-v1.d folder?

Related question: Do you have a file named "gpg-v21-migrated" in your
.gnupg directory?

Waiting for your answers, I suspect the following happened:

* You were using GnuPG < 2.1 before (1.4 or 2.0), with your private keys
in the secring.gpg file.

* At some point you upgraded to GnuPG 2.1; GnuPG automatically migrated
your keys from the secring.gpg file to the private-keys-v1.d folder
(leaving the gpg-v21-migrated file as a marker that the migration occured).

* When you moved your .gnupg folder, the private-keys-v1.d folder was
somehow left behind (maybe because you didn't know about it). So
gpg-agent cannot find your private keys.

* Even though you still have a copy of your private keys in the
secring.gpg file, GnuPG will not even look at this file, since the
gpg-v21-migrated file tells it that the private keys were already migrated.

If that's what happened, then simply removing the gpg-v21-migrated file
should be enough to trigger a new migration and allow you to get your
private keys where the agent expects to find them.

I am, however, a little bit concerned by the following:

> When I list the secret keys(gpg --list-secret-keys), then the output
> is empty. gpg-agent is not running.

gpg-agent should be started automatically by gpg as soon as it is needed
(such as when you ask for a listing of the secret keys). The fact that
the agent is *not* running could indicate a problem in your GnuPG
installation, independently of the presence or absence of the
private-keys-v1.d folder.


Damien
Re: gpg not able to find my secret key [ In reply to ]
On Thu, 23 Aug 2018 17:50, gnupg-users@gnupg.org said:

> Related question: Do you have a file named "gpg-v21-migrated" in your
> .gnupg directory?

The file name is actually ".gpg-v21-migrated" (note the leading dot) and
thus only listed by ls with the option -a.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: gpg not able to find my secret key [ In reply to ]
Hi!

Thanks for replies! The problem was indeed the existing
~/.gnupg/.gpg-v21-migrated file. Once I removed it, I did see the keys
in the output of "gpg --list-keys" and "gpg --list-secret-keys".

One more small question- in the output of "gpg --list-keys" or "gpg
--list-secret-keys" I see two keys, but in the output of
"gpg-connect-agent 'keyinfo --list' /bye" or "ls
~/.gnupg/private-keys-v1.d/" I see four keys with different hashes.
Why is that so?


Martin

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg not able to find my secret key [ In reply to ]
On 08/24/2018 07:47 AM, Martin T wrote:
> One more small question- in the output of "gpg --list-keys" or "gpg
> --list-secret-keys" I see two keys, but in the output of
> "gpg-connect-agent 'keyinfo --list' /bye" or "ls
> ~/.gnupg/private-keys-v1.d/" I see four keys with different hashes.
> Why is that so?

When you say that you have two keys, do you mean two *primary* keys? If
so, each primary key probably has an encryption *subkey* (automatically
generated by GnuPG, that has been the default behavior of GnuPG for a
very long time), so you end up with four private keys.

As for the fact that you see "different hashes", that's because `gpg
--list-keys` prints out the *fingerprints*, whereas gpg-agent's keyinfo
command prints out the *keygrips*.

A fingerprint and a keygrip are both hashes of a public key, but they
are computed differently and don't serve the same purpose. Fingerprints
are specified by the OpenPGP format and uniquely identify an OpenPGP
key. Keygrips are used internally by gpg-agent to uniquely identify a
key independently of any protocol.


Damien
Re: gpg not able to find my secret key [ In reply to ]
On Fri, Aug 24, 2018 at 2:38 PM Damien Goutte-Gattat
<dgouttegattat@incenp.org> wrote:
>
> On 08/24/2018 07:47 AM, Martin T wrote:
> > One more small question- in the output of "gpg --list-keys" or "gpg
> > --list-secret-keys" I see two keys, but in the output of
> > "gpg-connect-agent 'keyinfo --list' /bye" or "ls
> > ~/.gnupg/private-keys-v1.d/" I see four keys with different hashes.
> > Why is that so?
>
> When you say that you have two keys, do you mean two *primary* keys? If
> so, each primary key probably has an encryption *subkey* (automatically
> generated by GnuPG, that has been the default behavior of GnuPG for a
> very long time), so you end up with four private keys.
>
> As for the fact that you see "different hashes", that's because `gpg
> --list-keys` prints out the *fingerprints*, whereas gpg-agent's keyinfo
> command prints out the *keygrips*.
>
> A fingerprint and a keygrip are both hashes of a public key, but they
> are computed differently and don't serve the same purpose. Fingerprints
> are specified by the OpenPGP format and uniquely identify an OpenPGP
> key. Keygrips are used internally by gpg-agent to uniquely identify a
> key independently of any protocol.
>
>
> Damien
>

Damien,

thanks! I indeed have two primary key-pairs and each primary key-pair
has a subkey pair. When I execute "gpg --list-keys --with-keygrip",
then I see the same four public key hashes as with "keyinfo --list" in
gpg-connect-agent utility.


Martin

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users