gpg decryption fails with no secret key error

unix gnupg encryption public-key-encryption

I have a gpg .key file that is used as passphrase for decrypting a .dat.pgp file. The encrypted .data.pgp file gets successfully decrypted on one server with same .key file using following command

cat xxx_gpg.key | /usr/bin/gpg --batch --quiet -o xxx.dat --passphrase-fd O -d xxx.dat.pgp

But, when I move same key to another server xxx_gpg.key and run same above command, I get following error - 

gpg: decryption failed: No secret key

EDIT:

I find that gpg --list-secret-keys returns some data on server where it works but no results are returned for other server.

How can we configure secret key


Solution 1:

I just ran into this issue, on the gpg CLI in Arch Linux. I needed to kill the existing "gpg-agent" process, then everything was back to normal ( a new gpg-agent should auto-launch when you invoke the gpg command, again; ...).

  • edit: if the process fails to reload (e.g. within a minute), execute gpg-agent in a terminal and/or reboot ...

Solution 2:

Looks like the secret key isn't on the other machine, so even with the right passphrase (read from a file) it wouldn't work.

These options should work, to

  • Either copy the keyrings (maybe only secret keyring required, but public ring is public anyway) over to the other machine
  • Or export the secret key & then import it on the other machine

A few useful looking options from man gpg:

--export
Either export all keys from all keyrings (default keyrings and those registered via option --keyring), or if at least one name is given, those of the given name. The new keyring is written to STDOUT or to the file given with option --output. Use together with --armor to mail those keys.

--export-secret-keys
Same as --export, but exports the secret keys instead.

--import
--fast-import
Import/merge keys. This adds the given keys to the keyring. The fast version is currently just a synonym.

And maybe

--keyring file
Add file to the current list of keyrings. If file begins with a tilde and a slash, these are replaced by the $HOME directory. If the file‐ name does not contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used).

Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use --keyring along with --no-default-keyring.

--secret-keyring file
Same as --keyring but for the secret keyrings.

Solution 3:

I was trying to use aws-vault which uses pass and gnugp2 (gpg2). I'm on Ubuntu 20.04 running in WSL2.

I tried all the solutions above, and eventually, I had to do one more thing -

$ rm ~/.gnupg/S.*                    # remove cache
$ gpg-connect-agent reloadagent /bye # restart gpg agent
$ export GPG_TTY=$(tty)              # prompt for password
# ^ This last line should be added to your ~/.bashrc file

The source of this solution is from some blog-post in Japanese, luckily there's Google Translate :)

Related

What conditions should cluster deploy mode be used instead of client?
Should I inline all CSS files programmatically to optimize page load speed?
Is there a CMake '--install' switch?
Programmatically Restart a React Native App
How to avoid race conditions when fetching data with Redux?
Xcode 8 cannot run on device, provisioning profile problems mentioning Apple Watch
What do the curly braces do in switch statement after case in es6?
How does this float square root approximation work?
How can I run both Docker and Android Studio Emulator on Windows?
Cant export service from module 'it was neither declared nor imported' [duplicate]
What is an easy way to do a sorted diff between two files?
What does this mean ? public Name {get; set;} [duplicate]