Mageia forum

I didn't start here in the Mageia forum, because this is more of a Linux in general question. But I've had no response from linuxquestions.org, So I thought I'd try asking the smart people who reside here, if they know the answer...

details of that at: http://tinylink.in/4NF1P

The short version is using the CLI interface to gpg and/or gpg2, if I encrypt a file so that it can be decrypted by either one of two gpg keys,

Example:

Code: Select all

JtWdyP ->  /home/jtwdyp/tmp
> gpg --output ~/tmp/tst.asc -e -r 0xF8549389 -r 0x6C2163DE ~/tmp/tst.txt
gpg: 0x6C2163DE: skipped: public key already present
JtWdyP ->  /home/jtwdyp/tmp
>


How do I tell gpg and/or gpg2, on the command line, which key I intend to use, to decrypt the file with?

I sometimes can't remember both pass phrases...

Trial and error showed me that if I fail the passphrase prompt enough times, it will finally ask for the other key's passphrase. But aside from being a real PITA, that could be problematic on some Linux systems. Because some of them use an GUI pop-up passphrase prompt, and not all of those specify in the {pinentry?} prompt, which key it's asking about.

And the additional bonus question is:

If I were to use gpg to encrypt some sensitive data file for several intended recipients. Some of whom might be accessing the data from a keydrive, via pgp on a winblows machine. Would they have any control over which key's passphrase they get prompted for?

See http://stackoverflow.com/questions/1068 ... thon-gnupg
and maybe http://stackoverflow.com/questions/9624 ... crypt-sign

For the encryption see http://stackoverflow.com/questions/5971 ... erent-keys
and http://superuser.com/questions/554513/p ... recipients
and maybe http://superuser.com/questions/335664/h ... -a-keypair

To decrypt I think you need to use the -u (--local-user) option. This is explained in the man page:

man gpg wrote: --default-key name
Use name as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring. Note that -u or --local-user overrides this option.

doktor5000 wrote:To decrypt I think you need to use the -u (--local-user) option. This is explained in the man page:

man gpg wrote: --default-key name
Use name as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring. Note that -u or --local-user overrides this option.

Thank you for the reply. I looked at all of those links, and the man output, but still don't quite get this...

I see lots of good stuff about how to select which key(s) to encrypt for. But I can't find the part that tells me how to specify which key to decrypt with, when more than one of the recipient keys are on the recipient's key-ring.

I really don't want to modify my scripts to make two encrypted files, (one for each key) And then put both of them on all transfer media (mostly key-drives) So that the other script would have to select which file to decrypt, based on the selected user ID.

I really want to learn how to get gpg to ask for the desired key's passphrase for a single datafile, encrypted with both keys.

However:

The below sequence shows me encrypting a text file for both of my valid keys. Then trying to decrypt it using the one linked to my "ttlc" email address. I tried first using the --default-user option, and then using the --local-user option.

In both cases, gpg wants the passphrase for the other recipient. In the first case, I then terminated with ^C, and tried the --local-user option. When that to wanted the passphrase for the other recipient, I caved in and complied. At which point gpg tells me that the file was definitely encrypted for either key???!!!???

What am I doing wrong?

Code: Select all

JtWdyP ->  /home/jtwdyp/tmp/tstbin
> gpg --output ~/tmp/tstbin/tst.asc -e -r jtwdyp@ttlc.net -r jtwdyp@gmx.com ~/tmp/tstbin/tst.txt
gpg: jtwdyp@ttlc.net: skipped: public key already present
JtWdyP ->  /home/jtwdyp/tmp/tstbin
> gpg --output ~/tmp/tstbin/tst-dk.txt --default-key jtwdyp@ttlc.net ~/tmp/tstbin/tst.asc

You need a passphrase to unlock the secret key for
user: "Joe Philbrook <jtwdyp@gmx.com>"
3072-bit RSA key, ID 113C4D71, created 2014-05-09 (main key ID F8549389)

Enter passphrase:
gpg: Interrupt caught ... exiting

JtWdyP ->  /home/jtwdyp/tmp/tstbin
> gpg --output ~/tmp/tstbin/tst-lu.txt --local-user jtwdyp@ttlc.net ~/tmp/tstbin/tst.asc

You need a passphrase to unlock the secret key for
user: "Joe Philbrook <jtwdyp@gmx.com>"
3072-bit RSA key, ID 113C4D71, created 2014-05-09 (main key ID F8549389)

gpg: encrypted with 1024-bit ELG-E key, ID 225FDC6D, created 2004-05-17
      "Joe(theWordy)Philbrook (JtWdyP) <jtwdyp@ttlc.net>"
gpg: encrypted with 3072-bit RSA key, ID 113C4D71, created 2014-05-09
      "Joe Philbrook <jtwdyp@gmx.com>"
JtWdyP ->  /home/jtwdyp/tmp/tstbin
>


Sorry, can't help you further. You should probably re-ask your question on the gnupg-users mailing list: https://www.gnupg.org/documentation/mailing-lists.html