blackbox icon indicating copy to clipboard operation
blackbox copied to clipboard

Published 20 hours ago verified publisher icon StackExchange

gpg: decryption failed: No secret key

Open ryankemper opened this issue 5 years ago • 12 comments

This might not be an issue with blackbox so much as user error, but I'm not sure where else to post.

I'm running into gpg: decryption failed: No secret key.

I have a new machine with a new gpg key, and from that machine (which has ssh access to my git secrets repo) I did blackbox_add_admin with the corresponding email address.

However, any attempt to run blackbo_cat, blackbox_edit, etc runs into the above error. I think I need to do blackbox_update_all_files, but doing so gives the same error.

I also tried running blackbox_update_all_files on an old machine which can run all the other blackbox commands fine. Update all files fails with the same error.

Now, my guess is that to reencrypt all files, all of the admin's gpg keys must be on the same machine. Is that the case? If so I understand why I'm hitting this error; otherwise I'm quite confused.

Thanks for any help.

ryankemper avatar May 02 '19 21:05 ryankemper

Generally if you get "gpg: decryption failed: No secret key" then you forgot to re-encrypt the files with the new key.

I've also seen issues if the two machines have different GPG versions. The pubring.gpg file is a binary format that changes in major GPG versions and sometimes this causes a conflict.

Now, my guess is that to reencrypt all files, all of the admin's gpg keys must be on the same machine. Is that the case? If so I understand why I'm hitting this error; otherwise I'm quite confused.

Yes, absolutely. All the public keys must be on the machine when the files are re-encrypted.

Tom

tlimoncelli avatar May 02 '19 21:05 tlimoncelli

To be clear, by "re-encrypt the files" we mean blackbox_update_all_files, correct?

--

I checked and my gpg versions were different, so I just did a brew upgrade and now they are both gpg (GnuPG) 2.2.15 libgcrypt 1.8.4.

Here's some output that shows that I should have all of the public keys on my laptop. I only have one of the private keys, but I believe that should be enough.

user@Ryans-MacBook-Pro-3 ~/secrets (git)-[master] % blackbox_update_all_files ========== blackbox administrators are: rkemper@FIRSTREDACTED ryankemper@SECONDREDACTED

gpg --list-keys

pub rsa4096 2019-05-01 [SC] 9381A72F5... uid [ unknown] Ryan Kemper rkemper@FIRSTREDACTED sub rsa4096 2019-05-01 [E]

pub rsa4096 2018-06-19 [SCEA] 9A22347B3... uid [ unknown] Ryan Kemper ryankemper@SECONDREDACTED sub rsa4096 2018-06-19 [SEA]

blackbox_update_all_files

========== FILES IN THE WAY: All OK. ========== RE-ENCRYPTING FILES: ========== PROCESSING "2fa_recovery.codes" gpg: decryption failed: No secret key

ryankemper avatar May 03 '19 00:05 ryankemper

Yes, blackbox_update_all_files

tlimoncelli avatar May 06 '19 19:05 tlimoncelli

Do I need the private (secret) keys for all admins to run the command? Simply having the public keys does not appear to be enough.

ryankemper avatar May 07 '19 00:05 ryankemper

IIRC you need the public keys of everyone, and the private key of yourself.

tlimoncelli avatar May 07 '19 18:05 tlimoncelli

You may want to check that there's no other person sharing your name on the public keyring. It just happened to me that apparently, if there's a longer name with an end matching yours, it'll take precedence when adding you as an administrator or re-encrypting. That took a while to figure out...

manurosa avatar Jun 14 '19 10:06 manurosa

@manu-rosa Thank you, I will look into that. I have multiple keys with the same name, so that definitely seems like it could apply to me.

ryankemper avatar Jun 16 '19 20:06 ryankemper

Please take a look at https://github.com/StackExchange/blackbox/issues/199, I believe it's related.

ifeltsweet avatar Jun 20 '19 11:06 ifeltsweet

I am receiving this error myself for a new repository:

mkdir secret-repo
cd secret-repo
git init
blackbox_initialize
git add .
git commit -m 'INITIALIZE BLACKBOX'
blackbox_addadmin [email protected]
blackbox_listadmins
[email protected]
echo 'foo' > bar.txt
blackbox_register_new_file bar.txt
blackbox_cat bar.txt.gpg
========== PLAINFILE "bar.txt"
========== Importing keychain: START
gpg: Total number processed: 1
gpg:              unchanged: 1
========== Importing keychain: DONE
========== EXTRACTING bar.txt
gpg: decryption failed: No secret key

oxr463 avatar Feb 01 '20 20:02 oxr463

Hmm.. that's difficult to answer because that is a gpg error, not a problem with blackbox itself. Have you tried:

https://stackoverflow.com/questions/58892189/error-gpg-decryption-failed-no-secret-key-when-using-blackbox-in-job-circle or https://security.stackexchange.com/questions/184865/gpg-decryption-failed-no-secret-key

TomOnTime avatar Feb 01 '20 20:02 TomOnTime

Hmm.. that's difficult to answer because that is a gpg error, not a problem with blackbox itself. Have you tried:

https://stackoverflow.com/questions/58892189/error-gpg-decryption-failed-no-secret-key-when-using-blackbox-in-job-circle or https://security.stackexchange.com/questions/184865/gpg-decryption-failed-no-secret-key

Thanks for the tip. Turns out in this case it was an issue with the pinentry.

oxr463 avatar Feb 01 '20 21:02 oxr463

@oxr463

I get the same behavior on a RHEL system. I have to run a newer GNUPG, but it still looks like decrypt doesn't use it, even when encrypt does. The secret keys are there, but decrypt isn't finding them.

brtduvally avatar Apr 07 '20 14:04 brtduvally