问题
I have a gpg .key file that is used as passphrase for decrypting a .dat.pgp file. The encrypted .data.pgp file gets successfully decrypted on one server with same .key file using following command
cat xxx_gpg.key | /usr/bin/gpg --batch --quiet -o xxx.dat --passphrase-fd O -d xxx.dat.pgp
But, when I move same key to another server xxx_gpg.key and run same above command, I get following error -
gpg: decryption failed: No secret key
EDIT:
I find that gpg --list-secret-keys returns some data on server where it works but no results are returned for other server.
How can we configure secret key
回答1:
Looks like the secret key isn't on the other machine, so even with the right passphrase (read from a file) it wouldn't work.
These options should work, to
- Either copy the keyrings (maybe only secret keyring required, but public ring is public anyway) over to the other machine
- Or export the secret key & then import it on the other machine
A few useful looking options from man gpg:
--export
Either export all keys from all keyrings (default keyrings and those registered via option--keyring), or if at least one name is given, those of the given name. The new keyring is written to STDOUT or to the file given with option--output. Use together with--armorto mail those keys.
--export-secret-keys
Same as--export, but exports the secret keys instead.
--import--fast-import
Import/merge keys. This adds the given keys to the keyring. The fast version is currently just a synonym.
And maybe
--keyring file
Add file to the current list of keyrings. If file begins with a tilde and a slash, these are replaced by the $HOME directory. If the file‐ name does not contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used).Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use
--keyringalong with--no-default-keyring.
--secret-keyring file
Same as--keyringbut for the secret keyrings.
回答2:
I just ran into this issue, on the gpg CLI in Arch Linux. I needed to kill the existing "gpg-agent" process, then everything was back to normal ( a new gpg-agent auto-launched; ...).
- edit: if the process fails to reload (e.g. within a minute), type
gpg-agentin a terminal and/or reboot ...
回答3:
You can also sometimes get this error if you try to decrypt a secret while su-ed to a different user on a system with GPG 2.x installed. This bug has been reported against RHEL 6 but there is no fix available; apparently this is due to some design decisions in GPG 2.x. One workaround suggested in the bug report is to run the decryption inside of a tmux or screen session. More reading here.
来源:https://stackoverflow.com/questions/28321712/gpg-decryption-fails-with-no-secret-key-error