Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GPG - decrypt with multiple recipients

I am trying to decrypt a file that has been encrypted using 2 recipients (--recipient [email protected] --recipient [email protected]). However when I try to decrypt the file, it always requests the passphrase of the 1st recipient. When the 1st recipient secret-key isn't part of the key-ring, it will give an error 'secret key not found'.

How can I encrypt a file with multiple recipients so that both can decrypt them without knowing eachother keys & passphrases?

(To me, the question seems simple and a basic feature - but obviously I cannot get it to work)

Thank you in advance!

like image 870
user2915036 Avatar asked Oct 21 '25 05:10

user2915036


1 Answers

I ran into this problem today, and found your question looking for the answer. I've seen many merry an example of how to encrypt things for multiple recipients... never saying/showing what will happen when one tries to decrypt that data. Here's what I got:

user@system ~ $ gpg --decrypt filename.pgp

You need a passphrase to unlock the secret key for
user: "SOMEBODY ELSE <[email protected]>"
2048-bit ELG-E key, ID ABC1234, created 1972-10-29 (main key ID ABC5678)

gpg: Invalid passphrase; please try again ... [I DON'T HAVE *THEIR* PASSPHRASE!]

2 more times... finally...

You need a passphrase to unlock the secret key for
user: "HEY!  This is ME! <[email protected]>"
2048-bit ELG-E key, ID DEF1234, created 1969-02-03 (main key ID DEF5678)

gpg: encrypted with 2048-bit ELG-E key, ID ABC1234, created 1972-10-29
      "NAME <[email protected]>"
gpg: public key decryption failed: bad passphrase
gpg: encrypted with 2048-bit ELG-E key, ID DEF1234, created 1969-02-03
      "HEY!  This is ME! <[email protected]>"

and then the file decrypted fine...

Quick Note: Just to clarify, for security reasons one's passphrase and one's private key should NEVER be given to anyone else. The passphrase is to keep the private key "safe" should it become compromised. One's public key is the only thing that should be shared with others.

I preface this with the fact I currently only have access to version 1.4.2.2, and don't have the ability to test these solutions. Later version have certain options that may well be what's needed. Please try and answer back if any of these work.

--local-user/-u looked promising. In the version I have, --help showed use this user-id to sign or decrypt But when trying it seemed futile, further research revealed a cruel truth: seems the help is wrong, and this is ONLY an option using for "signing".

This post has a likely solution, though I personally find it messy:

gpg --try-all-secrets --passphrase <passphrase here> filename.pgp

--passphrase was apparently added in version 1.4.3. UGH!

EDIT: Perhaps a better (possibly, below) solution is only available in gpg2? gpg2 seems to have --try-secret-key, which if I read correctly, may be what we're both looking for?

like image 111
pythonlarry Avatar answered Oct 24 '25 18:10

pythonlarry



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!