What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file
Solution 1:
Yes, you will also need to fix the permissions of the enclosing directory ~/.gnupg
Because an attacker with enough rights on the folder could manipulate folder contents.
Execute the following commands:
Make sure, the folder+contents belong to you:
chown -R $(whoami) ~/.gnupg/
Correct access rights for
.gnupg
and subfolders:find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;
Explanation for 600
, 700
:
Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.
That means, that the process reading these (gnupg) must run as the owner of these files/directories.
~/.gnupg/
is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1". 7 - 6 = 1
Both ~/.gnupg/
and ~/.gnupg/*
you want to be able to read and write, thats 4 + 2 = 6
.
==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)
==> These file rights don't "need" to be documented, they are derivable from the intended usage.
More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions
Solution 2:
GnuPG by default enforces secure access privileges, which means nobody else (but you) can access your GnuPG home directory ~/.gnupg
. These access privileges often are not strict enough after copying the GnuPG home directory from another machine, and very often wrong ownership is the reason of such a message.
# Set ownership to your own user and primary group
chown -R "$USER:$(id -gn)" ~/.gnupg
# Set permissions to read, write, execute for only yourself, no others
chmod 700 ~/.gnupg
# Set permissions to read, write for only yourself, no others
chmod 600 ~/.gnupg/*
If you have (for any reason) created your own folders inside ~/.gnupg
, you must also additionally apply execute permissions to that folder. Folders require execution privileges to be opened.
Solution 3:
Although Jens Erat already mentioned it in his last sentence, I think it should be stressed that any folders inside ~/.gnupg must be executable (mode 700) as well. This holds especially for the private-keys* folder that is created by gpg itself. I was stuck with permission problems for a while before I noticed this.
Solution 4:
These two lines will set the permissions separately and correctly for directories and files:
find ~/.gnupg -type d -exec chmod 700 {} \;
find ~/.gnupg -type f -exec chmod 600 {} \;
assuming ownership is already set correctly.
Note it does not change permissions on the sockets S.gpg-agent*
. (Only the new gpg v2 involves sockets, the old gpg v1 doesn't).