batch decryption key identification

John A. Wallace jw72253 at
Tue Nov 1 03:20:24 CET 2011

Hello.  On this website
to-encrypt-a-message) I found this FAQ and answer:

Question:  How can I get list of key IDs used to encrypt a message?

$ gpg --batch --decrypt --list-only --status-fd 1 2>/dev/null | \
  awk '/^\[GNUPG:\] ENC_TO / { print $3 }'

As it relates in part to my original question below, I want to ask about
this in more detail. Knowing which particular key was used for encryption
would allow me to pinpoint which of the several keys on a key-ring to use
for decryption and would help save much time and effort in the process when
looking at a batch of messages.  

I am not a programmer, but I can see that the above command uses the program
'awk' to identify the key used; and I understand that the Gnu program 'gawk'
has equivalent functionality. I have two questions about it.  First, using
the above command, whereabouts should I put the "path/filenames.asc" in it
for the command to analyze for decryption, and should I put any other
unlisted parameters in the command for it to complete?  I tried testing it
like this: 

gpg --batch --decrypt <filename.asc> --list-only --status-fd 1

But I saw nothing output on the screen related to the key used on the file.
The 'filename.asc' tested was just an individual encrypted file, but I later
intend to use this on a batch of files named such as 'path/*.asc'.

Secondly, are the 'gawk' program commands equivalent to the above listed awk
commands, or will I need to alter it in some way?  Thanks.


-----Original Message-----
From: gnupg-users-bounces at [mailto:gnupg-users-bounces at]
On Behalf Of gnupg-users-request at
Sent: Tuesday, October 11, 2011 2:58 AM
To: gnupg-users at
Subject: Gnupg-users Digest, Vol 97, Issue 9


Message: 8
Date: Tue, 11 Oct 2011 09:35:30 +0200
From: Werner Koch <wk at>
To: "John A. Wallace" <jw72253 at>
Cc: gnupg-users at
Subject: Re: key selection in batch decryptions
Message-ID: <87sjn07zgd.fsf at>
Content-Type: text/plain; charset=us-ascii

On Mon, 10 Oct 2011 23:18, jw72253 at said:

> keys in turn.  Is there a way to tell gpg to use just one of the keys if
> any?  I have tried specifying this as one of the options "-u userID", but

No there is no way to do this.

The best suggestion for all automated systems is not to use a
passphrase.  If you really want a passphrase and you require full
control over it you have three choices:

 - Write your own pinentry and send CANCEL back until the desired
   passphrase is requested.  Then send the right passphrase.

 - Write a simple pinentry to always send a CANCEL back (GnuPG 2.1 will
   have an option to emulate this).  The use gpg-preset-passphrase to
   seed gpg-agent with the desired passphrase.

 - Use --status-fd/--command-fd.  These options allow you to
   pass a passphrase to gpg entirely under script control.  They work
   even with GnuPG 1.4.

More information about the Gnupg-users mailing list