Decrypt Issue

Paul R. Ramer free10pro at gmail.com
Fri Sep 27 04:52:20 CEST 2013 

On 09/25/2013 09:36 AM, Diaz, John, A wrote:
> Spoke too soon.  The wrong path was part of the problem, but I’m still having the issue:
> 
> 
> Mainframe calls .bat file that calls C# application that calls second .bat file to call GnuPG to decrypt a file. Once decrypted, other stuff happens, e-mails are sent, blah, blah, blah.
> 
> Here's the issue: When the mainframe calls the .bat file to start the process, the decryption returns:
> Decrypt error :gpg: armor header: Version: GnuPG v1.4.9 (AIX)
> gpg: public key is 07F7097A
> gpg: encrypted with ELG-E key, ID 07F7097A
> gpg: decryption failed: secret key not available
> 
> 
> 
> If I RDP into the server with the credentials specified in the mainframe JCL, I see this from the decrypt:
> 
> gpg: armor header: Version: GnuPG v1.4.9 (AIX)
> 
> 
> 
> gpg: public key is 07F7097A
> 
> gpg: using subkey 07F7097A instead of primary key AB96877A
> 
> gpg: using subkey 07F7097A instead of primary key AB96877A
> 
> gpg: encrypted with 2048-bit ELG key, ID 07F7097A, created 2007-05-25
> 
>       "FMCSFTPKey <e-mail address>"
> 
> gpg: AES256 encrypted data
> 
> gpg: original file name='DE-ETE-090313'
> 
> 
> 
> What do I need to do, or have the owners of the encrypted data do, to resolve this?

I do believe that your issue is caused by your script being run by your
client system, and gpg is looking for the secret key on your *client*
system.  I think it is further indicative of this given that when you
connect to server with Remote Desktop, it works.  If the key is on the
server and script is being run on the client, the reference to gpg in
script will need to use gpg --homedir gnupg_directory_on_server.

To test this, if you can edit the script that calls gpg, put a line in
it to print out the value of the GNUPGHOME environment variable.
Another way that you could do this is make gpg list its secret keys with
gpg -v --list-secret-keys.  By using -v option the first line of gpg's
output will print the location of the secret keyring that is being
listed.  If it does not match the location of the secret key you have on
your server, you have found your problem.

If you do not have permission to edit the script, convince the
responsible party to do himself.  It is the only way you are going to
know if gpg is looking in right place.  When you get "secret key not
available", your first recourse should be to determine if secret key you
want is in your gnupg directory or if gpg is using the correct home
directory.

HTH.

Cheers,

--Paul

--
PGP: 0x3DB6D884
PGP Fingerprint: EBA7 88B3 6D98 2D4A E045  A9F7 C7C6 6ADF 3DB6 D884

More information about the Gnupg-users mailing list