Best IT Recipes

GPG - multi-recipient decryption

I am trying to decrypt a file that has been encrypted using two recipients (-recipient recipientA@example.com -recipient recipientB@example.com). However, when I try to decrypt a file, it always requests the passphrase of the first recipient. When the secret key of the 1st recipient is not part of the key ring, it will give an error message "secret key not found."

How can I encrypt a file with multiple recipients so that both can decrypt them without knowing each other with keys and phrases?

(For me, the question seems to be a simple and basic feature - but obviously I can't get it to work)

Thank you in advance!

+1
encryption gnupg
Oct 24 '13 at 9:33
source share
2 answers

Today I ran into this problem and found your question looking for an answer. I have seen many fun examples of how to encrypt things for multiple recipients ... never says / shows what happens when you try to decrypt this data. Here is what I got:

user@system ~ $ gpg --decrypt filename.pgp You need a passphrase to unlock the secret key for user: "SOMEBODY ELSE <somebody_else@example.com>" 2048-bit ELG-E key, ID ABC1234, created 1972-10-29 (main key ID ABC5678) gpg: Invalid passphrase; please try again ... [I DON'T HAVE *THEIR* PASSPHRASE!] 2 more times... finally... You need a passphrase to unlock the secret key for user: "HEY! This is ME! <my_email@example.com>" 2048-bit ELG-E key, ID DEF1234, created 1969-02-03 (main key ID DEF5678) gpg: encrypted with 2048-bit ELG-E key, ID ABC1234, created 1972-10-29 "NAME <email@example.com>" gpg: public key decryption failed: bad passphrase gpg: encrypted with 2048-bit ELG-E key, ID DEF1234, created 1969-02-03 "HEY! This is ME! <my_email@example.com>" and then the file decrypted fine...

Quick note: just for security reasons, one passphrase and one private key should NEVER be provided to anyone else. The key phrase is to keep the secret key โ€œsafeโ€ if it becomes compromised. One public key is the only thing you need to share with others.

I preface this with the fact that at the moment I have access only to version 1.4.2.2 and I am not able to test these solutions. In a later version, there are certain options that may well be needed. Please try to answer and answer if any of them works.

--local-user/-u looked promising. In the version I had, --help showed use this user-id to sign or decrypt But when I tried, it seemed in vain, further research showed a cruel truth: it seems that the help is incorrect , and this is ONLY an option that uses for "signing" .

This post has a likely solution, although I personally find it dirty:

 gpg --try-all-secrets --passphrase <passphrase here> filename.pgp

--passphrase is apparently added in version 1.4.3 . Ugh!

EDIT: Perhaps the best (maybe lower) solution is only available in gpg2? gpg2 seems to have --try-secret-key , which, if I read correctly, might be what we're both looking for?

+3
Dec 14 '13 at 9:12
source share

Today I ran into this problem, and I decided to launch gpg in batch mode:

/usr/bin/gpg --batch --passphrase "your_passphrase" --verbose --decrypt

0
Jun 16 '16 at 2:51 on
source share


More articles:


All Articles