decryption trouble - primary/subkey confusion, maybe version issues?

Michael Hannemann mhannemann at
Mon Jun 18 21:37:27 CEST 2012

Hi all,

I've searched the FAQ and the mailing list archives, and I don't see an answer to this question, so I will ask it here...

I'm having trouble sending an encrypted file to a collaborator -- even though they've sent me files that I've been able to decrypt.

Here's what they see, with their keys replaced -- TsTs = their subkey, TpTp = their primary key.  

My keys:

pub   2048R/F7A48B98 2012-05-22       usage: SC
sub   2048R/BE7A105E 2012-05-22       usage: E

And my collaborator:

pub   1024D/TpTpTpTp 1999-04-08        usage: SCA
sub   2048g/TsTstsTs 1999-04-08        usage: E

gpg: public key is TsTsTsTs
[GNUPG:] ENC_TO xxxxxx--TsTsTsTs 16 0
gpg: using subkey TsTsTsTs instead of primary key TpTpTpTp
gpg: encrypted with 2048-bit ELG-E key, ID TsTsTsTs, created 1999-04-08
    [my collaborator]
[GNUPG:] NO_SECKEY xxxxxx--TsTsTsTs
gpg: decryption failed: secret key not available [GNUPG:] END_DECRYPTION

My question is ... what is going on here?  Why can't they decrypt this file, when they were able to send me a file that I could decrypt?  

Their technical guy wrote me to say that when sending files, I should be using primary key ID TpTpTpTp.   But, so far as I can tell, everything here is working as designed, and there's no way I *can* specifically say "use TpTpTpTp".  However, they say they haven't had any problems with anyone else, and the system has been working for years.  

Data I've gathered:

1. Using --edit-key, I did compare fingerprints and have validated the fingerprint they sent me.  
2. Early on, it appears that they had somehow used the wrong key for me.  I don't know where that came from, but once identified, I resent my key and they processed it, and I've been able to decrypt files they've sent to me since then.
3. I have a suspicion there are two pathways for them -- an automated system which picks up files & decrypts them, and their IT group trying to debug issues on the other side of the connection.
4. When they sent me their key, I noticed it was exported with GnuPG 1.0.6 (SunOS).  I'm using 1.4.12 on Mac and 1.4.10 on Ubuntu.
5. I accepted the default (RSA + RSA) version for key generation.  Is that a problem with an older GnuPG variant?  I wouldn't think that's the issue.

What questions can I ask them which will help shed light on this situation?  Is it possible that I'm doing something wrong?  I've created a test account with its own gpg keys, and have successfully sent files both directions on my own machine.

Many thanks,


More information about the Gnupg-users mailing list