1. 技术文章
  2. GPG - decrypt with multiple recipients

GPG - decrypt with multiple recipients

送分小仙女□ 提交于 2019-12-04 02:11:32

问题


I am trying to decrypt a file that has been encrypted using 2 recipients (--recipient recipientA@example.com --recipient recipientB@example.com). However when I try to decrypt the file, it always requests the passphrase of the 1st recipient. When the 1st recipient secret-key isn't part of the key-ring, it will give an error 'secret key not found'.

How can I encrypt a file with multiple recipients so that both can decrypt them without knowing eachother keys & passphrases?

(To me, the question seems simple and a basic feature - but obviously I cannot get it to work)

Thank you in advance!


回答1:


I ran into this problem today, and found your question looking for the answer. I've seen many merry an example of how to encrypt things for multiple recipients... never saying/showing what will happen when one tries to decrypt that data. Here's what I got:

user@system ~ $ gpg --decrypt filename.pgp

You need a passphrase to unlock the secret key for
user: "SOMEBODY ELSE <somebody_else@example.com>"
2048-bit ELG-E key, ID ABC1234, created 1972-10-29 (main key ID ABC5678)

gpg: Invalid passphrase; please try again ... [I DON'T HAVE *THEIR* PASSPHRASE!]

2 more times... finally...

You need a passphrase to unlock the secret key for
user: "HEY!  This is ME! <my_email@example.com>"
2048-bit ELG-E key, ID DEF1234, created 1969-02-03 (main key ID DEF5678)

gpg: encrypted with 2048-bit ELG-E key, ID ABC1234, created 1972-10-29
      "NAME <email@example.com>"
gpg: public key decryption failed: bad passphrase
gpg: encrypted with 2048-bit ELG-E key, ID DEF1234, created 1969-02-03
      "HEY!  This is ME! <my_email@example.com>"

and then the file decrypted fine...

Quick Note: Just to clarify, for security reasons one's passphrase and one's private key should NEVER be given to anyone else. The passphrase is to keep the private key "safe" should it become compromised. One's public key is the only thing that should be shared with others.

I preface this with the fact I currently only have access to version 1.4.2.2, and don't have the ability to test these solutions. Later version have certain options that may well be what's needed. Please try and answer back if any of these work.

--local-user/-u looked promising. In the version I have, --help showed use this user-id to sign or decrypt But when trying it seemed futile, further research revealed a cruel truth: seems the help is wrong, and this is ONLY an option using for "signing".

This post has a likely solution, though I personally find it messy:

gpg --try-all-secrets --passphrase <passphrase here> filename.pgp

--passphrase was apparently added in version 1.4.3. UGH!

EDIT: Perhaps a better (possibly, below) solution is only available in gpg2? gpg2 seems to have --try-secret-key, which if I read correctly, may be what we're both looking for?




回答2:


I have also faced this problem today and I have solved it by running gpg in batch mode:

/usr/bin/gpg --batch --passphrase "your_passphrase" --verbose --decrypt



来源:https://stackoverflow.com/questions/19562185/gpg-decrypt-with-multiple-recipients

标签
encryption
gnupg
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!