ERROR decrypt error: unable to find a PGP decryption key for this message

[pramodhegde]

On one of my devices, I am unable to decrypt any PGP encrypted messages.

~  keybase --version
keybase version 1.0.15-20160404130015+8ac9934

~  keybase pgp decrypt -i /tmp/encrypted.asc
ERROR decrypt error: unable to find a PGP decryption key for this message

~  keybase pgp select --only-import
ERROR No PGP keys available to choose from.

So I tried exporting my PGP public & secret (private) key to gpg to see if that would help. Exporting the public key works fine.

But when I try to export the private key,

~  keybase pgp export -s
ERROR No matching keys found

What have I done wrong to get in this conundrum?

[maxtaco]

My guess is you don't have any PGP secret keys locally on your machine. Gpg -K returns nothing right?

On Saturday, April 9, 2016, Pramod Hegde [email protected] wrote:

On one of my devices, I am unable to decrypt any PGP encrypted messages.

~ keybase --version keybase version 1.0.15-20160404130015+8ac9934

~ keybase pgp decrypt -i /tmp/encrypted.asc ERROR decrypt error: unable to find a PGP decryption key for this message

~ keybase pgp select --only-import ERROR No PGP keys available to choose from.

So I tried exporting my PGP public & secret (private) key to gpg to see if that would help. Exporting the public key works fine.

But when I try to export the private key,

~ keybase pgp export -s ERROR No matching keys found

What have I done wrong to get in this conundrum?

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/keybase/keybase-issues/issues/2193

[pramodhegde]

It does return to me the public keys that keybase pgp pull pulled. Funny thing though, I don't see my own public key in that list!

[maxtaco]

Upper case k shows you private keys

On Saturday, April 9, 2016, Pramod Hegde [email protected] wrote:

It does return to me the public keys that keybase pgp pull pulled. Funny thing though, I don't see my own public key in that list!

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/keybase/keybase-issues/issues/2193#issuecomment-207814244

[pramodhegde]

Crap! Right you are.

[steko]

I think the problem is that you're using gpg2. At least I seem to have similar issues with a gpg2 setup.

[BrandonIngalls]

I also imported my key using gpg, so gpg -K also shows my private key, and I am still having the same issue on my laptop.

[maxtaco]

@BrandonIngalls did you run keybase pgp select --only-import as suggested above?

[maxtaco]

If you can provide -d, we can look further into it, but probably not in a timely manner, in all honesty

[BrandonIngalls]

http://hastebin.com/cudopeniku.coffee

[maxtaco]

Sorry @BrandonIngalls no ideas immediately come to mind. We'll file it in our backlog. It's extremely hard to debug secret key bugs since we have no idea how to repro them :(

[maxtaco]

Wonderful, thanks @BrandonIngalls. This is a great STR.

[bradfeehan]

Same thing happening for me. In GPG I have no secret key for my master key locally, and secret keys for my subkeys. I can use GPG directly to decrypt messages encrypted for me on the keybase website, but keybase CLI can't do the same thing itself.

[bradfeehan]

I think I noticed a relevant part of the GPG manpage:

--export-secret-keys --export-secret-subkeys Same as --export, but exports the secret keys instead. The exported keys are written to STDOUT or to the file given with option --output. This command is often used along with the option --armor to allow easy printing of the key for paper backup; however the external tool paperkey does a better job for creating backups on paper. Note that exporting a secret key can be a security risk if the exported keys are send over an insecure channel.

The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully import such a key. Its intended use is to generated a full key with an additional signing subkey on a dedicated machine and then using this command to export the key without the primary key to the main machine.

This is actually what I have done (I used --export-secret-subkeys on a dedicated machine and imported it to my main machine) and I would like to get this working in Keybase. :smile:

[maxtaco]

Ok thanks. Now that I understand the issue, it makes sense to promote it, since it seems reasonably easy to hit. For now, I'd recommend just using gpg on the command line since obviously you guys are comfortable with it.

[rquadling]

Can anyone summarise this for the numpties please?

I've got 2 machines (a Windows and a Mac), Windows works (yes, I'm as surprised as you are!) and the Mac doesn't (opinions vary on whether or not the level of surprise I'm feeling is warranted!).

I'm trying to decrypt some files and getting the "Unable to find a PGP decryption key for this message".

I've just installed keybase on the mac using Homebrew.

I had to install gnupg, also via homebrew.

[maxtaco]

@rquadling We don't sync your private key for you, looks like you need to move it yourself from your Windows machine to the OSX machine.

[rquadling]

Aha! Makes perfect sense. Thank you!!!!

[rsyring]

For what it's worth, I had problems with this same error message. I initially tried:

$ keybase pgp select 
▶ ERROR You already have a PGP key registered (B299 86B0 7C64 A87E B19B CDD6 F2CD 3E13 3B20 DE2B)
Specify the `--multi` flag to override this check

Based on suggestions in this issue, I then tried:

$ keybase pgp select --only-import
#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
1    2048R   F2CD3E133B20DE2B             Randy Syring <[email protected]>, Randy Syring 
Choose a key: 1
▶ INFO Bundle unlocked: F2CD3E133B20DE2B
▶ INFO Key F2CD3E133B20DE2B imported

And follow the instructions. That resulted in keybase being able to decrypt pgp messages.

I'm not sure what --select-only is or why it was needed. If Keybase could have detected that more work was needed on my part (e.g. running with --select-only), and notified me of that, it would have been a much better UX.

[thepixelmonk]

I have a similar problem where keybase gpg decrypt doesn't find the key but gpg -d works fine.

[johntdyer]

Same here

[denibertovic]

I have the same issue because I don't keep my secret keys locally but instead keep them on an external card (a yubikey in this case). Apparently, gpg is able to read the required keys from the yubikey where-as keybase is not.

EDIT: I'd like to point out that keybase pgp select --only-import does not work for me in this case because I don't want to have the secret key living on the machine (neither in gpg's keyring or in keybase's keyring.... Actually I wasn't aware that keybase holds a separate keyring or am I misinterpreting that?)

[robophil]

I had to do keybase pgp select --import --multi to get it to work with version keybase version 2.5.0-20180807174114+6435f04df6

[ourway]

Same issue here. It's very confusing

[steinybot]

This still seems to be a problem in keybase version 5.5.0-20200526170801+139bb348af.

I have the same setup as @BrandonIngalls; master key secret locked away on a tails usb key and I only export the secrets for my subkeys. Encrypting works.

Using gpg directly works fine so I guess that is ok but it would still be nice to have this supported in keybase since IMO any decent pgp setup should be using short lived subkeys and never exposing the master secret.

[omegazyadav]

I had to do keybase pgp select --import --multi to get it to work with version keybase version 2.5.0-20180807174114+6435f04df6

Thanks, this worked for me. This will import the private key in your profile from the keybase server. I suppose using only the keybase pgp select selects the public key but it is not sufficient for decrypting the contents.

[francomile]

I had to do keybase pgp select --import --multi to get it to work with version keybase version 2.5.0-20180807174114+6435f04df6

Thanks, this worked for me. This will import the private key in your profile from the keybase server. I suppose using only the keybase pgp select selects the public key but it is not sufficient for decrypting the contents.

This worked for me on v.5.7.0

[joberget]

I had to do keybase pgp select --import --multi to get it to work with version keybase version 2.5.0-20180807174114+6435f04df6

This worked for me as well on 5.8.0.

[cysmanojsah]

I have a similar issue and i tried keybase pgp select --import --multi with keybase version 5.9.2-20220131221715+a25f15e42b and it is not working

▶ ERROR decrypt error: unable to find a PGP decryption key for this message

[laurentiuspurba]

I have a similar issue and i tried keybase pgp select --import --multi with keybase version 5.9.2-20220131221715+a25f15e42b and it is not working

▶ ERROR decrypt error: unable to find a PGP decryption key for this message

Any solutions on this? Headache....