Mailing List Archive

GPG : "No secret key found" error
Hi

Please keep me in CC as I think I am not a subscribed user yet.

GPG:

I am using the gpg command in a UNIX Shell script triggered by the Abinitio
ETL Tool to decrypt my encrypted source files. I am following below steps
to achieve my goal.

Step 1. As a POC, I can successfully executed below command.
gpg --batch --yes --quiet --always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp

The above command will simply ask for password and decrypt the source file.
Please note that I am intentionally not using --passphrase as password will
be exposed to console using ps command.

Step 2. Instead, I have thought of storing the passphrase in a file
(passphrase.dat.pgp), encrypted that file without password and passing the
password to do the work using below command.

echo gpg --batch --yes --quiet --always-trust -d
/home/sharma43/passphrase.dat.pgp | gpg --batch --yes --quiet
--always-trust -o /home/output_file.dat -d
/etl/inbound/encrypted_file.dat.pgp
<https://gpgtools.tenderapp.com/discussions/nightly/2094-gpg-command-failing-for-no-secret-key?anon_token=c5d07b882#now-the-problem-comes-when-i-execute-above-command-and-it-fails-for-below-error->Now
the problem comes when I execute above command and it fails for below error.

gpg: cancelled by user
<https://gpgtools.tenderapp.com/discussions/nightly/2094-gpg-command-failing-for-no-secret-key?anon_token=c5d07b882#gpg-decryption-failed-no-secret-key->gpg:
decryption failed: No secret key

Obviously, I have the required secret key as the POC done in Step 1 was
successful.

Step 3. To my wonder, when I execute Step 1 first and then Step 2 (within a
short span), it works, but if I directly run Step 2 ( which actually will
be happening as a part of solution), then it doesn't and fails for "No
secret key" error.

Can you please explain why this could be happening? Is there a specific
location where GPG private keys should be imported?

Please note the version I am using is "gpg (GnuPG) 2.0.22 version".
-Regards
Abhisht Sharma
+61 420410228
Re: GPG : "No secret key found" error [ In reply to ]
Please do not send HTML to this mailing list. Many of our members
refuse to open HTML emails from unknown parties, so when you send HTML
email to this list you're limiting the number of people who can see your
question -- and maybe be able to help you!

> Step 2. Instead, I have thought of storing the passphrase in a file
> (passphrase.dat.pgp), encrypted that file without password and passing
> the password to do the work using below command.

How exactly do you "encrypt that file without password"?

At any rate, this is probably a bad idea. Often the best way to proceed
for scripting GnuPG tasks is to remove the passphrase from the certificate.

> Step 3. To my wonder, when I execute Step 1 first and then Step 2
> (within a short span), it works, but if I directly run Step 2 ( which
> actually will be happening as a part of solution), then it doesn't and
> fails for "No secret key" error.

This tells me that GnuPG is caching your passphrase with gpg-agent.
When you run it the second time GnuPG sees the passphrase is in the
cache and uses that, without ever needing to ask you for the passphrase.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG : "No secret key found" error [ In reply to ]
Hi Robert,

Many thanks for your email.
I will try to give you the background of the problem that led me to this
approach.

*Problem:*
------------------------------------------------------------------------------------------------------------
I have a situation where the password-protected PGP/GPG encrypted files
need to be decrypted, processed through ETL operations and loaded in HIVE.
I had a generic Korn Shell script which executes below command.

cmd 1:
*gpg --batch --yes --quite --always-trust -o $OUTPUT_FILE --passphrase
$PASSPHRASE -d $ENCRYPTED_SOURCE_FILE*

But, this command had a risk of exposing *$PASSPHRASE* to the UNIX console
if any user executes *ps -ef* command while the code is running. This was a
huge security breach so I chose the *--passphrase-file* option to read the
decryption password from a file.

Now, all I need is to place the file, which stores the decryption password,
with strict user permissions.

Having said that, just to add a little bit of more security I was thinking
of encrypting the above mentioned file (which stores the Decryption
password) and within my shell script, decrypt it, read it and pass the
password to the "*gpg*" command.
This encryption needs to be passwordless using 7za utility otherwise we
will be stuck in a loop of storing the new password securely.

Below 7za command was used to encrypt without password.
cmd 2:
*7za a -mx=9 -mhe -t7z $ENCRYPTED_OUTPUT_FILE $SOURCE_FILE*

Now "cmd 1" has been updated to the below command, which UNIX shell script
will use to read the above file and pass on the passphrase to the gpg
decryption command.

cmd 3:
*echo `7za -x -so $FILE_WITH_DECRYPTION_PASSWORD` | gpg --batch --yes
--quite --always-trust -o $OUTPUT_FILE -d $ENCRYPTED_SOURCE_FILE *
------------------------------------------------------------------------------------------------------------

The problem I mentioned in my original post starts from here.
The above command doesn't run and fails for "No secret Key found" issue and
runs fine if it is executed immediately after the second part of command
i.e. *gpg --batch --yes --quite --always-trust -o $OUTPUT_FILE -d
$ENCRYPTED_SOURCE_FILE*

There is a similar command as mentioned below, which runs fine.

cmd 4:
*echo `7za x -so $FILE_WITH_DECRYPTION_PASSWORD` | 7za x -o$OUTPUT_FILE
$7Z_ENCRYPTED_FILE*

Please note that in the above command (cmd 4) the source files are
encrypted with 7z utility (or compressed with password, as many people say).

The whole intention of doing all of this is just to avoid any possible
PASSWORD security breach.

I hope I was able to give you a clearer picture of the requirement.

I am even open for any new design approach, if you experts can suggest.
Please let me know in case of any queries.

-regards,
Abhisht Sharma



On Tue, 8 Jun 2021 at 20:10, Robert J. Hansen <rjh@sixdemonbag.org> wrote:

> Please do not send HTML to this mailing list. Many of our members
> refuse to open HTML emails from unknown parties, so when you send HTML
> email to this list you're limiting the number of people who can see your
> question -- and maybe be able to help you!
>
> > Step 2. Instead, I have thought of storing the passphrase in a file
> > (passphrase.dat.pgp), encrypted that file without password and passing
> > the password to do the work using below command.
>
> How exactly do you "encrypt that file without password"?
>
> At any rate, this is probably a bad idea. Often the best way to proceed
> for scripting GnuPG tasks is to remove the passphrase from the certificate.
>
> > Step 3. To my wonder, when I execute Step 1 first and then Step 2
> > (within a short span), it works, but if I directly run Step 2 ( which
> > actually will be happening as a part of solution), then it doesn't and
> > fails for "No secret key" error.
>
> This tells me that GnuPG is caching your passphrase with gpg-agent.
> When you run it the second time GnuPG sees the passphrase is in the
> cache and uses that, without ever needing to ask you for the passphrase.
>


--
With Regards,
Abhisht Sharma
+353 899875624
Re: GPG : "No secret key found" error [ In reply to ]
I'm not going to respond to this until you re-send it as plain text
without HTML. The very first thing I wrote in my last email was that
this mailing list strongly prefers plain text without HTML.

We're willing to help you, but you need to follow the rules.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG : "No secret key found" error [ In reply to ]
I am writing this email to you in plain text... I am surprised how is it
coming to as HTML.

Any idea?

Any special things I need to check before sending the email?

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 02:58 Robert J. Hansen, <rjh@sixdemonbag.org> wrote:

> I'm not going to respond to this until you re-send it as plain text
> without HTML. The very first thing I wrote in my last email was that
> this mailing list strongly prefers plain text without HTML.
>
> We're willing to help you, but you need to follow the rules.
>
Re: GPG : "No secret key found" error [ In reply to ]
Please note that the resolution of this problem is really critical so any
quick help will be highly appreciated!

-Regards
Abhisht Sharma
+61 420410228

On Thu, 10 Jun 2021, 09:18 Abhisht Sharma, <abhisht.sharma@gmail.com> wrote:

> I am writing this email to you in plain text... I am surprised how is it
> coming to as HTML.
>
> Any idea?
>
> Any special things I need to check before sending the email?
>
> -Regards
> Abhisht Sharma
> +61 420410228
>
> On Thu, 10 Jun 2021, 02:58 Robert J. Hansen, <rjh@sixdemonbag.org> wrote:
>
>> I'm not going to respond to this until you re-send it as plain text
>> without HTML. The very first thing I wrote in my last email was that
>> this mailing list strongly prefers plain text without HTML.
>>
>> We're willing to help you, but you need to follow the rules.
>>
>
Re: GPG : "No secret key found" error [ In reply to ]
> But, this command had a risk of exposing *$PASSPHRASE* to the UNIX
> console if any user executes *ps -ef* command while the code is running.
> This was a huge security breach so I chose the *--passphrase-file*
> option to read the decryption password from a file.
>
> Now, all I need is to place the file, which stores the decryption
> password, with strict user permissions.

And this is probably a bad idea.

Clearly, you have a place where you feel it's safe to store a file
containing the passphrase for your certificate. So remove the
passphrase from your certificate and store it there, in that safe place
on your filesystem.

> Having said that, just to add a little bit of more security...

This is a really bad habit: thinking that "I'll just add one more step
to add a little bit more security." It's endemic to the community --
you are far from the only person to have it. But it's a bad habit, and
here's why: security decisions always need to be connected to your
threat model.

Is there something in your threat model you can point to and say,
"because of this particular threat we're concerned about, this step I
want to take is warranted"? If so, go for it. If not, don't.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG : "No secret key found" error [ In reply to ]
> I am writing this email to you in plain text... I am surprised how is it
> coming to as HTML.

As I don't use GMail, I can't help you. You'll need to ask Google.
Your message comes through as having both plaintext and HTML parts.
This, for instance, is part of the source of your email:

Content-Type: text/html; charset="UTF-8"

Content-Transfer-Encoding: quoted-printable



<div dir=3D"auto">I am writing this email to you in plain text... I am surp=

rised how is it coming to as HTML.<div dir=3D"auto"><br></div><div dir=3D"a=

uto">Any idea?</div><div dir=3D"auto"><br></div><div dir=3D"auto">Any speci=

al things I need to check before sending the email?<br><br><div data-smartm=

ail=3D"gmail_signature" dir=3D"auto">-Regards<br>Abhisht Sharma<br>+61 4204=

10228</div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" clas=

s=3D"gmail_attr">On Thu, 10 Jun 2021, 02:58 Robert J. Hansen, &lt;<a href=

=3D"mailto:rjh@sixdemonbag.org">rjh@sixdemonbag.org</a>&gt; wrote:<br></div=

><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-left:1=

px #ccc solid;padding-left:1ex">I&#39;m not going to respond to this until =

you re-send it as plain text <br>

without HTML.=C2=A0 The very first thing I wrote in my last email was that =

<br>

this mailing list strongly prefers plain text without HTML.<br>

<br>

We&#39;re willing to help you, but you need to follow the rules.<br>

</blockquote></div>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG : "No secret key found" error [ In reply to ]
Hi Robert,

I am trying to write in plain text mode so hopefully you won't be
seeing it in HTML.
I really appreciate the help you have provided me so far.

I am really not into networking and encryption stuff, so please expect
few dumb questions from me.

Can you please suggest to me the steps that I should follow to
redesign my solution, considering the password security?
I have the private keys and passphrase of the PGP encrypted files.

Now, my basic question is where/how should I store the decryption
password and what would be my "gpg" command.

Appreciate your help.

-regards,
Abhisht Sharma


On Thu, 10 Jun 2021 at 10:46, Robert J. Hansen <rjh@sixdemonbag.org> wrote:
>
> > But, this command had a risk of exposing *$PASSPHRASE* to the UNIX
> > console if any user executes *ps -ef* command while the code is running.
> > This was a huge security breach so I chose the *--passphrase-file*
> > option to read the decryption password from a file.
> >
> > Now, all I need is to place the file, which stores the decryption
> > password, with strict user permissions.
>
> And this is probably a bad idea.
>
> Clearly, you have a place where you feel it's safe to store a file
> containing the passphrase for your certificate. So remove the
> passphrase from your certificate and store it there, in that safe place
> on your filesystem.
>
> > Having said that, just to add a little bit of more security...
>
> This is a really bad habit: thinking that "I'll just add one more step
> to add a little bit more security." It's endemic to the community --
> you are far from the only person to have it. But it's a bad habit, and
> here's why: security decisions always need to be connected to your
> threat model.
>
> Is there something in your threat model you can point to and say,
> "because of this particular threat we're concerned about, this step I
> want to take is warranted"? If so, go for it. If not, don't.



--
With Regards,
Abhisht Sharma
+353 899875624

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: GPG : "No secret key found" error [ In reply to ]
> I am trying to write in plain text mode so hopefully you won't be
> seeing it in HTML.

Success! Thank you.

> Can you please suggest to me the steps that I should follow to
> redesign my solution, considering the password security?

I already have, twice.

For the third time: remove the passphrase from your private key, and
make sure the location where you're storing your private key is safe.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users