Linux Commands

How to solve gpg: decryption failed: No secret key error

3 years ago
by Sharqa Hameed
When someone sends you an encrypted email, file, or document, they use your GPG “Public” key to encrypt the file. Your public key’s decryption key is your GPG “Private” or “Secret” key. However, if you are getting the “gpg: decryption failed: No secret key” error while decrypting the file, it states that your GPG keypair is incorrect or the public key used for the encryption did not match with its related key on your system.

If you find yourself in such a situation, then no worries! This write-up will demonstrate different methods for solving the “gpg: decryption failed: No secret key” error on your Linux system. So, let’s start!

Method 1: Solve gpg: decryption failed: No secret key error by killing the gpg-agent

To solve the “gpg: decryption failed: No secret key” error, the first method you can try is to kill the existing “gpg-agent” process. The “gpg-agent” is a daemon that assists in managing the private or secret keys in a protocol-independent manner. It serves as a backend for gpgsm, gpg, and a few other programs. To kill the “gpg-agent”, open your terminal by pressing “CTRL+ALT+T” and then execute the following command:

$ gpgconf --kill gpg-agent

The system will restart the “gpg-agent” when needed or demanded by the gpg, gpgconf, gpgsm, or gpg-connect-agent. You can also execute the simple “gpg -k” command to trigger the “gpg-agent” restart process.

If your user-space systemd controls the “gpg-agent” daemon, then check out its status first:

$ systemctl --user status gpg-agent

After that, stop the “gpg-agent” and then start it again with the help of the following commands:

$ systemctl --user stop gpg-agent

$ systemctl --user start gpg-agent

Then, again checkout the status of “gpg-agent”:

$ systemctl --user status gpg-agent

Method 2 Solve gpg: decryption failed: No secret key error by removing GPG cache

If the previous method did not work for you, then one more thing you can do is remove the GPG cache first and then restart the “gpg-agent”.

You can execute the following rm command for removing the GPG cache:

$ rm ~/.gnupg/S.*

Then, restart the “gpg-agent” on your Linux system:

$ gpg-connect-agent reloadagent /bye

Method 3: Solve gpg: decryption failed: No secret key error by installing and configuring pinentry-tty

If you are using an Ubuntu system with the Gnome GUI by default, then your GPG must be using the “/usr/bin/pinentry-gnome3”. To fix the encountered “gpg: decryption failed: No secret key” error you can install the “pinentry-tty” program and add it to the gpg-agent configuration file.

The “pinentry-tty” is a program that permits you to enter passphrases or PINs securely. This feature is useful for entering passphrases when you utilize any encryption program such as GPG. To install on your system, type out the following command:

$ sudo apt install pinentry-tty

In the next step, we will set the “pinentry–tty” as the default program for the gpg-agent. For this purpose, firstly open up the “gpg-agent.conf” file in the nano editor:

$ sudo nano /.gnupg/gpg-agent.conf

Then, add below-given line in the opened configuration file:

pinentry-program /usr/bin/pinentry-tty

After doing so, press “CTRL+O” to save the added changes. What you have to do now is to reload your gpg-agent so that it takes effect from the modified settings:

$ gpg-connect-agent reloadagent /bye

Method 4: Solve gpg: decryption failed: No secret key error by exporting and importing the private key

If the required secret key is not found on the other machine, you will get the “gpg: decryption failed: No secret key” error even with the correct private key or the passphrase. To solve the encountered issue in this particular situation, you can export the secret key and then import it on the other machine.

To do so, firstly execute the below-given command to list out the GPG keys using your user ID “uid”:

$ gpg --list-keys [uid]

Note down the user ID from the output. Your user ID “uid” will be placed after the “pub”.

Now, you can use the following command for exporting your GPG secret key:

$ gpg --export-secret-keys [uid] >private.key

Lastly, import the created “private.key” file on the other machine:

$ gpg --import private.key

The output will let you know that the secret key is imported:

Method 5: Solve gpg: decryption failed: No secret key error by setting the GPG key trust level

After copying your GPG keypair, if you are still facing the “gpg: decryption failed: No secret key” error then you have to set its trust level. Execute the following “gpg” command to edit the settings of your gpg key:

$ gpg --edit-key [Key_ID] or [uid]

After executing the above-given command, a GPG console will get active, then type “trust” and hit “Enter”:

gpg>trust

Now, a menu will appear on the screen for selecting the trust level, and it will have the following options:

Since you have generated your key, go for option 5, “I trust ultimately”, then confirm the added option and exit from the “gpg” console:

gpg>quit

Your “gpg: decryption failed: No secret key” error should be solved now!

Conclusion

While decrypting an encrypted file, if you have encountered the gpg: decryption failed: No secret key error indicates that the encrypted file’s public key does not match your GPG key pair. There exist multiple solutions for solving the specified error. This write-up demonstrated how to solve “gpg: decryption failed: No secret key” error using five different methods such as killing the gpg-agent, removing the GPG cache, installing and configuring pinentry-tty, exporting and importing the private key, and by setting the trust level.

About the author

Sharqa Hameed

I am a Linux enthusiast, I love to read Every Linux blog on the internet. I hold masters degree in computer science and am passionate about learning and teaching.

View all posts