gpg decryption fails with no secret key error
I just ran into this issue, on the gpg CLI in Arch Linux. I needed to kill the existing "gpg-agent" process, then everything was back to normal ( a new gpg-agent should auto-launch when you invoke the gpg command, again; ...).
- edit: if the process fails to reload (e.g. within a minute), execute
gpg-agent
in a terminal and/or reboot ...
I was trying to use aws-vault which uses pass and gnugp2 (gpg2). I'm on Ubuntu 20.04 running in WSL2.
I tried all the solutions above, and eventually, I had to do one more thing -
$ rm ~/.gnupg/S.* # remove cache
$ gpg-connect-agent reloadagent /bye # restart gpg agent
$ export GPG_TTY=$(tty) # prompt for password
# ^ This last line should be added to your ~/.bashrc file
The source of this solution is from some blog-post in Japanese, luckily there's Google Translate :)
Looks like the secret key isn't on the other machine, so even with the right passphrase (read from a file) it wouldn't work.
These options should work, to
- Either copy the keyrings (maybe only secret keyring required, but public ring is public anyway) over to the other machine
- Or export the secret key & then import it on the other machine
A few useful looking options from man gpg
:
--export
Either export all keys from all keyrings (default keyrings and those registered via option--keyring
), or if at least one name is given, those of the given name. The new keyring is written to STDOUT or to the file given with option--output
. Use together with--armor
to mail those keys.
--export-secret-keys
Same as--export
, but exports the secret keys instead.
--import
--fast-import
Import/merge keys. This adds the given keys to the keyring. The fast version is currently just a synonym.
And maybe
--keyring file
Add file to the current list of keyrings. If file begins with a tilde and a slash, these are replaced by the $HOME directory. If the file‐ name does not contain a slash, it is assumed to be in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME is not used).Note that this adds a keyring to the current list. If the intent is to use the specified keyring alone, use
--keyring
along with--no-default-keyring
.
--secret-keyring file
Same as--keyring
but for the secret keyrings.