GnuPG Smartcard and Authentication Key

David Shaw dshaw at
Sun May 28 22:30:55 CEST 2006

On Sun, May 28, 2006 at 08:24:14PM +0200, Volker Dormeyer wrote:
> Hello all,
> recently I received a message which is encrypted with my public
> authentication key instead of my encryption key.
> I wonder how this can happen, because I thought GnuPG does not use the
> authentication key as encryption key. Am I wrong?
> Further, I am not able to decrypt the message. I tried it manually with
> "--try-all-secrets", but it doesn't seem to work. Basically it should
> work. I mean, I have the authentication private key.

This is unfortunately turning into a FAQ.  Basically, you've run into
an old PGP bug.  It was recently fixed (I don't recall exactly in what
version), but there are countless installations of PGP that predate
the fix.

OpenPGP keys have "key flags" that indicate what a key is to be used
for (encryption, signing, or authentication).  GnuPG honors these
flags and will not encrypt to any key that isn't marked for
encryption.  The bug is that PGP is not properly looking at the key
and will happily encrypt to a signing or authentication key.

As to what you can do about it, your best bet is to contact the sender
and ask for a retransmission encrypted to the proper key.  It might be
possible to write a program that can essentially trick the smartcard
into decrypting the message by pretending it is a signature that needs
to be verified but it depends on how exactly the card handles
signatures.  In any event, no such program exists today.


More information about the Gnupg-users mailing list