gpg: decryption failed: No secret key

Asked 20/4, 2017 at 8:11 Answered 23/3, 2023 at 1:28

I am not able to decrypt my file without secret key. I know this question is asked on this before, solutions on this question did not help me.

This is my problem's scenario.

This error I receive on command prompt while using --decrypt command.

gpg: decryption failed: No secret key

I have public key and a passphrase with me. I have used following commands to check if there is secret key or not.

gpg --list-secret-keys

gpg --list-keys

Both the above commands returned blank result(no error). so I decided to import public key with --import .

gpg --import "C:\PATH\TO_MY_PUBLIC_KEY"

After --import command I can see public is imported. I could not find the way to deal with secret key. Is there any way I can find secret key or create new secret key.

Irfan answered 20/4, 2017 at 8:11 Comment(1)

Related: security.stackexchange.com/questions/184865/… – Fanfani 30/8, 2020 at 0:18

I also received blank output from the same 2 commands:

gpg --list-secret-keys
gpg --list-keys

I had reason to suspect this was to do with recent changes to the ~/.gnupg/pubring.kbx file, which lead me to run the following 2 commands to re-import missing keys:

Re-import missing secret keys:

gpg --import < ~/.gnupg/secring.gpg

Re-import missing public keys:

gpg --import < ~/.gnupg/pubring.gpg

Documentation for above commands: https://gpgtools.tenderapp.com/kb/faq/missing-keys-after-migrating-to-gnupg-22#missing-secret-key-s-and-or-public-keys
Broken pubring.kbx: https://gpgtools.tenderapp.com/discussions/nightly/1415-gpg-keychain-broken-pubringkbx-file

Harwill answered 18/3, 2019 at 12:3 Comment(3)

After upgrading Ubuntu from 16.04 to 18.04, I was now missing my secret keys. Re-importing using this method worked for me. – Hitch 15/2, 2020 at 21:51

` ~/.gnupg/secring.gpg` is empty – Conglomeration 3/6, 2021 at 22:36

no such thing as secring.gpg or pubring.gpg on mine. is it a version thing? – Negotiate 30/8, 2021 at 3:14

This message can also happen if your pinentry program isn't working properly, and thus gpg can't get the passphrase to unlock the decryption key. This has happened to me a couple of times. If this is the case, gpg -d -v will appear to select the correct key and then just hang for a while before giving up. This is it waiting for the pinentry that never actually returns.

The steps depend on your specific environment, but checking (or creating) the pinentry-program option in ~/.gnupg/gpg-agent.conf is a good place to start. In my case (on OS X with Homebrew-installed gpg and pinentry-mac) I had to create that file with the following contents:

pinentry-program /usr/local/bin/pinentry-mac

And then run gpgconf --kill gpg-agent to reload the configuration (gpg-agent should automatically restart).

You will likely need to adjust the path above for whatever your preferred pinentry program is. locate pinentry may be helpful to find what options you have installed, or which your-pinentry-program-here will tell you the full path if you already know the name.

Diphyodont answered 3/9, 2020 at 19:33 Comment(3)

macOS Big Sur user here, also using Homebrew. I was completely clueless about all the above. I guess I might have upgraded gpg via Homebrew and completely forgot to check if the gpg-agent configuration needed any changes... in any case, I wouldn't have the slightest idea where and what to change. Thank you! – Quiz 2/3, 2021 at 14:4

Thanks for this. In the context I was running GPG (via pass) the "No pinentry" error line was getting swallowed, leaving only the "No secret key" line, which led me to believe that something subtle was wrong with the keys and gpg.conf I had just set up on this new machine. – Dole 25/8, 2022 at 17:47

Right, so because I was running commands over ssh on my laptop I just got the No secret key because pinentry is a desktop popup. Go to my physical laptop and it works fine. Ubuntu 22.04 – Averell 2/11, 2022 at 10:9

Very short version: you can't decrypt without the secret key.

GnuPG asks for the secret key (often used as synonym for private key if you read that somewhere), so the message was encrypted using public/private key cryptography. You cannot decrypt the message using the public key, that's the basic principle behind public/private key cryptography. Secret keys can be protected with a passphrase, that's why you might have a passphrase (although you miss the key).

Ask for the private key if you are required to decrypt the message, or ask the sender to encrypt using symmetric cryptography and share the passphrase with you.

Longfaced answered 20/4, 2017 at 15:13 Comment(0)

I had the same error but with a different solution to it, this was on OSX but I assume it will be similar on others.

The gpg-agent seemed to be the culprit as I realised that I never got the pinentry question for one of my keys. Killing it with gpgconf --kill gpg-agent solved that. And with the first call that needs it the gpg-agent will start automatically. And indeed the pinentry appeared and all was fine again.

Lockwood answered 17/2, 2021 at 0:33 Comment(0)

gpg --pinentry-mode loopback --decrypt <yourfile> This allows pinentry to display its prompt on your screen.

Congruity answered 23/3, 2023 at 1:28 Comment(1)

this should be default behavior. Their custom prompt is just causing trouble all the time. – Altocumulus 6/3 at 8:39

In my case my gpg key had password and when I entered git-crypt unlock in vscode terminal which had a limited width and height it outputs

gpg: decryption failed: No secret key
git-crypt: GPG error: Failed to decrypt

But when I try the same command on a full terminal windows it works like charm and prompts for getting password and so on.

Umiak answered 30/6, 2021 at 13:34 Comment(1)

I had the same problem when running the gpg --decrypt... command from a remote/ssh tmux screen – Killarney 3/12, 2021 at 15:3

you can ignore the error using: export GPG_TTY=$(tty)

Costa answered 26/7, 2020 at 11:12 Comment(0)

In the event you import & then trust (ultimately) and can see the keys using gpg --list-secret-keys but when you go to decrypt it tells you it can't find the secret key, add the --batch to your decrypt command.

Orme answered 12/12, 2019 at 8:41 Comment(0)

In my case, both gpg (1.x) and gpg2 were installed on the system, and gpg 1.x doesn't have support for my ed25519 keys.

You'll know which algorithms are supported by looking at the version, grep for Pubkey

/usr/bin/gpg --version 
/usr/bin/gpg2 --version

If thats the case, try gpg2 --list-secret-keys

If that works, add an alias to .bashrc and symlink into ~/bin (for git)

echo "alias gpg='gpg2'" >> ~/.bashrc
ln -s /usr/bin/gpg2 $HOME/bin/gpg
. ~/.bashrc

Then, gpg --list-secret-keys output wasn't empty anymore.

Maybe it doesn't solve OP's issue, but hope this helps someone.

Chrysarobin answered 19/5, 2020 at 18:21 Comment(0)

I encrypted a file using symmetric encryption with passphrase and no secret key, and got the same error message, but in my case there was something much sillier going one.. the encrypted package was corrupt.. make sure the package was properly formed if you are in the same situation.

Hayner answered 8/6, 2022 at 18:51 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags