decrypt encrypted gpg file using external secret key

The objective of the OP Mohammed appears to be keeping his PUBLIC and SECRET key apart. After all, do we want to keep the Secret key with the data it was used to encrypt? Thus, Mohammed's and 10,650+ others (at the time I write this) are interested in if/how it's possible. Indeed it is, and this is how you do it:

The publicly-facing host only has two keys: Both are Public Keys

  1. Your GPG Public key used to encrypt data

  2. Your SSH Public key in .ssh/authorized_keys to facilitate non-interactive logins.

Round-tripping an encrypted file using Public-Secret key separation:
The following bash snippet when executed on the host with the Secret Key will fetch the crypted file from the DMZ host via scp, and squirt the gpg decrypted standard output back onto the DMZ host into a file so it can be read/operated upon. This code is tested and known to work correctly:

echo "$(gpg -d $(scp [email protected]:/home/myuser/test-gpg.txt.asc .;ls ./test-gpg.txt.asc))" | ssh [email protected] 'cat > /home/myuser/test-gpg.txt'

Note that you will still be prompted for a password once decryption begins. But once the password is supplied, the script continues and injects the decrypted gpg stream into a file on DMZ host.

And don't forget to do an rm test-gpg.txt of the decrypted file once the operation that required it's contents to be readable has been completed.

So yes, very possible to keep your secret key apart from the publicly accessible host where encryption occurs and your secret key tucked safely away in a host outside of that DMZ. HTH- Terrence Houlahan


You have to import the secret key to use it but the way that secret keys are managed by GnuPG version 2.x has changed. There is a gpg-agent daemon that handles secret keys access and its use is mandatory from version 2.1.

Here is a way that you can quickly create a temporary keyring to decrypt with a secret key that is contained in a file:

$ mkdir -m 700 ~/.gnupg-temp
$ gpg --homedir .gnupg-temp --import key.sec
$ gpg --homedir .gnupg-temp -d an_ecrypted_file

If you want to clean up afterwards, stop the agent and remove the directory:

$ gpg-connect-agent --homedir .gnupg-temp KILLAGENT /bye
$ rm -r ~/.gnupg-temp

There used to be an option --secret-keyring about which the documentation for version 2.1 has this to say:

This is an obsolete option and ignored. All secret keys are stored in the private-keys-v1.d directory below the GnuPG home directory.

The private-keys-v1.d directory (wthin the --homedir or ~/.gnupg) is owned and operated by the agent.


You must add the secret key to a keyring. From the gpg(1) documentation:

   --no-default-keyring
          Do not add the default keyrings to the list of
          keyrings. Note that GnuPG will not operate without any
          keyrings, so if you use this option and do not provide
          alternate keyrings via --keyring or --secret-keyring,
          then GnuPG will still use the default public or secret
          keyrings.

You could --import --no-default-keyring --secret-keyring temporary to import the key, use --secret-keyring temporary when decrypting the content, then delete the ~/.gnupg/temporary.gpg file when you're done. But that's just a work-around.