What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file

Yes, you will also need to fix the permissions of the enclosing directory ~/.gnupg

Because an attacker with enough rights on the folder could manipulate folder contents.

Execute the following commands:

  1. Make sure, the folder+contents belong to you:
    chown -R $(whoami) ~/.gnupg/

  2. Correct access rights for .gnupg and subfolders:
    find ~/.gnupg -type f -exec chmod 600 {} \;
    find ~/.gnupg -type d -exec chmod 700 {} \;

Explanation for 600, 700:

Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.

That means, that the process reading these (gnupg) must run as the owner of these files/directories.

~/.gnupg/ is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1". 7 - 6 = 1

Both ~/.gnupg/ and ~/.gnupg/* you want to be able to read and write, thats 4 + 2 = 6.

==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)

==> These file rights don't "need" to be documented, they are derivable from the intended usage.

More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions


GnuPG by default enforces secure access privileges, which means nobody else (but you) can access your GnuPG home directory ~/.gnupg. These access privileges often are not strict enough after copying the GnuPG home directory from another machine, and very often wrong ownership is the reason of such a message.

# Set ownership to your own user and primary group
chown -R "$USER:$(id -gn)" ~/.gnupg
# Set permissions to read, write, execute for only yourself, no others
chmod 700 ~/.gnupg
# Set permissions to read, write for only yourself, no others
chmod 600 ~/.gnupg/*

If you have (for any reason) created your own folders inside ~/.gnupg, you must also additionally apply execute permissions to that folder. Folders require execution privileges to be opened.


Although Jens Erat already mentioned it in his last sentence, I think it should be stressed that any folders inside ~/.gnupg must be executable (mode 700) as well. This holds especially for the private-keys* folder that is created by gpg itself. I was stuck with permission problems for a while before I noticed this.