Go Premium for a chance to win a PS4. Enter to Win


gpg decrypt fails with unknown key

Posted on 2014-02-17
Medium Priority
Last Modified: 2016-04-01
I am using gpg4win to encrypt files. I have three keys imported. I use a vbscript to encrypt and ftp files to vendors. Two of the keys work perfectly. The third fails when the vendor tries to decrypt. They receive an error : unknown key. We have confirmed the key is correct. If I encrypt using Kleopatra front end, everything works. When I use my VBS, they cannot decrypt. The same command works fine for the other vendors. Here is the command I am using:

comd = "cmd /C gpg  -R <key>   --always-trust --encrypt " & txtFile

Again, this command works for the other two vendors. And the key must be okay if it works in Kleopatra.
Question by:awc_support
  • 4
  • 3
  • 2
LVL 65

Expert Comment

ID: 39867269
I was thinking if there are special character (or space or newline or carrier return) in the key that could be not properly parsed by the vbscript. Maybe can generate another random different key pair and repeat the vbscript encrypt and decrypt to see if alright for script as well as Kleopatra. It should not be limited with only two sets of key logically.

It is not as likely the key is not in the keyring, but maybe just to verify if listing the keyring will show the 3 keys, it should not be showing any unknown keys as below


Author Comment

ID: 39867360
Thank you Ace. I did a --list-keys and I see all three keys. We compared the vbscript with the working scripts in a hex editor and there are no differences. So, that rules out spaces or special characters. We are not signing so there should be no secret key in the mix. I just encrypt with the vendor's  public key. This method works well for two other vendor's.

I am just learning gpg so my understanding of how this works may be off a bit.
LVL 65

Expert Comment

ID: 39867466
Will you be able to generate another new keypair to test encrypt (using your shared new pub) by the third party and decrypt (using your new secret) by yourself also has same issue? Likewise third party generate a new keyset and do vice versa. Also good to check the version of gpg used

Also do note the below on keypair type

The DSA/ElGamal keypair that we generated above consists of a public key and a secret key (or private key). It also has a special type of key known as a subkey (which has its own public and secret keys). Subkeys are often used to encrypt, but not sign. DSA/ElGamal keypairs are a common combination of master signing key and encryption subkey. In some cases, as was the case with our DSA/ElGamal keypair, GPG will create the necessary subkey for you when you generate a keypair. In other cases  you will have to create a subkey yourself, depending on the type of keypair you choose to generate.

Ideally, you would contact the key owner and check the key fingerprint on the key you have against the key fingerprint the owner has. (A key's fingerprint is preferable to the Key ID, even the long version of the Key ID, as there is the remote chance the multiple keys can have the same Key ID.) You can get the key fingerprint either by using the --fingerprint command.

When you created your keypair, GPG set a default list of preferences for the several different types of algorithms that can be used for encryption, message digests (hashes), and compression. These preferences tell GPG what algorithms are to be employed when your key is used. Since these preferences are stored with your key, they can even affect what algorithms are used by GPG (or PGP) when others use your public key to encrypt messages to you. You can get a list of the preferences on your key by editing your key (--edit-key) and using the showpref command.

The pref command, however, presents the preferences on your key as a string using a special set of codes (a kind of notation). If you compare the list (or string) of preferences from the pref command with that of the showpref command, you'll find that they match exactly. You can change the list of preferences on your key by using the setpref command and specifying a new list (or string) of preferences in a string just like the string that the pref command generated. After you change the preferences on your key with the setpref command, issue the updpref command to save your changes.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 16

Expert Comment

ID: 39869291
You could try using Robo-FTP to do it.  It is a scriptable FTP client with the ability to programmatically do PGP encryption and decryption.  It has a lot of other file-related features so you could most likely translate the VBScript in to its script but, if not, you could use the EXEC command to run cscript.exe and pass the name of your VBScript on the command line so that it does part of the job in its native script and part in your VBScript.

Author Comment

ID: 39870336
Ace, can you help me understand why I would put so much effort in troubleshooting the key pair when we know the same key pair works perfectly from Kleopatra. I am not discounting what your saying, I am just trying to learn and understand.

I currently have no contact information for the vendor. I am working on getting the information.

LVL 65

Accepted Solution

btan earned 2000 total points
ID: 39870463
I understand how you feel as I will be in the same thoughts too but we need to isolate and verify the assumptions. Kleoparta is primarily using certificate based key and also an organised keyring which its codes know how to retrieve the key archived. Coding ourselves may missed retrieving the actual required key or go to the directory path finding no key or even have not set the search key space or retired key used or cached key not properly housekeep...too many variables...there shd be verify command to check key content etc

I was actually thinking even to cleanup the keyring and only having that single vendor pub key and send over to  make sure keystore is sound...the public info  so far did not drill to this level and mostly due to using wrong keypair or revoke keys or keytype etc

Not easy espeically whem it seems so obvious...has anyone used that keys of the vendor as well is my next thinking and also using script or we are the first to send it...trust but verify
LVL 16

Expert Comment

ID: 39870529
I have seen a frustrating situation where the "keyring" is split between a folder under Program Files and a folder under My Documents....  Everything would work fine when I ran it manually but fail when launched as a windows scheduled task.  It turned out that the public key for encryption was in my personal My Documents folder so, when I launched it as a task using the administrator account the key was not found... because "administrator" had its own Documents folder. I doubt that could explain your symptoms if you are identifying the key by its ID number but it could absolutely happen if you're specifying the key to use for encryption by passing the username, email or comment field.

Author Comment

ID: 39882818
I have resolved this issue. The command in the vbs was using a -R (uppercase). I thought this switch meant recipient however, -r (lowercase) is used for recipient. The -R was hiding the recipient ID. This did not cause an issue for the other two vendors because apparently, their decryption uses wildcards. So, when they decrypt, they cycle through all of the keys in their keyring until one of them works. The new vendor is not doing this. So, I changed the script to use -r and all is well. Gpg4win does not show the -R switch in its documentation or from gpg- help. Only -r or --recipient.
LVL 65

Expert Comment

ID: 39884360
Rightfully the KeyID should be working as well as long as the specific key is correct as in you using the pub key to encrypt and the vendor is using the right secret private key. It is better to verified that and circling using wildcard can be susceptible to mistake. So good to list out the keyID specific to each vendor and check the keyring has indeed those key in their store and in sync with you. Also then the backup those keys

The options are available here

--recipient name
    Encrypt for user id name. If this option or --hidden-recipient is not specified, GnuPG asks for the user-id unless --default-recipient is given.

--hidden-recipient name
    Encrypt for user ID name, but hide the key ID of this user's key. This option helps to hide the receiver of the message and is a limited countermeasure against traffic analysis. If this option or --recipient is not specified, GnuPG asks for the user ID unless --default-recipient is given.

Also the use of username should also help

To encrypt data, use:
gpg -e -u "Sender User Name" -r "Receiver User Name" somefile
There are some useful options here, such as -u to specify the secret key to be used, and -r to specify the public key of the recipient.
As an example: gpg -e -u "Charles Lockhart" -r "A Friend" mydata.tar

To decrypt data, use:
gpg -d mydata.tar.gpg
If you have multiple secret keys, it'll choose the correct one, or output an error if the correct one doesn't exist. You'll be prompted to enter your passphrase. Afterwards there will exist the file "mydata.tar", and the encrypted "original," mydata.tar.gpg.

Glad it resolved. Thanks for sharing

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question