Can I check who can decrypt my GPG message after I encrypt it?

You can't necessarily tell who can decrypt a given GPG file by looking at it, but assuming nobody has any knowledge aside from their own private keys and the encrypted file itself, it is possible tell how many people can.

When you encrypt a message, GPG generates a random symmetric key, called a "session key", and uses it to encrypt the message. It then makes a bunch of copies of the session key, and encrypts each one under a different public key, one for each recipient. It then packages all of these encrypted "key packets" along with the encrypted message using the OpenPGP container format.

The important thing is that if all you have is the encrypted file, you have to be able to decrypt at least one of these encrypted session key packets in order to get to the message.

You can list all of the packets in an encrypted file using the gpg --list-packets command:

$ gpg --batch --list-packets myfile.gpg
:pubkey enc packet: version 3, algo 16, keyid 0000000000000000
        data: [2048 bits]
        data: [2046 bits]
gpg: anonymous recipient; trying secret key ABCDE123 ...
:pubkey enc packet: version 3, algo 16, keyid 123ABCDE0987654F
        data: [2048 bits]
        data: [2046 bits]
:encrypted data packet:
...

(The --batch flag prevents GPG from asking me for my passphrase, so that it can't decrypt anything. If you're running a GPG agent, it'll take more than that.)

Those "pubkey encrypted packets" are encrypted session key packets that were read from the file. The one with "keyid 123ABCDE0987654F" is a normal recipient; the key ID is a hint to tell you which key can be used to decrypt the packet. The one with "keyid 0000000000000000" is an anonymous recipient: you don't know which key will decrypt it, but you know it's there waiting to be decrypted by something. If your gpg was modified to add Eve as an anonymous recipient, this is what you would see when inspecting the .gpg file using a clean gpg binary. It's also what you would see if you added an anonymous recipient on purpose.

If Eve's a little more clever, though, then there are a couple of ways to further hide recipients:

  • The listed keyid value could be a lie. The all-zeroes keyid is just a convention, and the normal keyid is just a hint: there could be anything there. Eve could label her encrypted key packet using Bob's keyid, and replace Bob's legitimate packet with hers. It would look like a packet for Bob, but if he tried to use it, the decryption would fail. Only Bob would be able to check this. The --try-all-secrets flag is somewhat related, and could be useful if the keyid was accidentally wrong.
  • Eve doesn't have to put her key packet into the file, or even create an encrypted key packet for herself at all. Try out the --show-session-key and --override-session-key flags on a dummy file with no sensitive data. These will let you handle the session key directly instead of keeping it hidden away in encrypted key packets. If Eve has replaced your gpg binary, she could (for example) have it email her the session key of every file you encrypt, along with a hash of the encrypted data for easy identification. This violates the "no prior knowledge" assumption from earlier, but I felt the existence of these flags made it worth mentioning.

Tags:

Encryption

Pgp