SmartCard decryption issues

NIIBE Yutaka gniibe at
Tue Nov 10 02:53:14 CET 2015

On 11/09/2015 11:50 PM, Christopher Beck wrote:
> I have got two sub-keys on the card, one for signing and one for
> decryption. Both keys are 4096 bit in size. The issues are only on the
> decrpting process: Signing works well, but when I try to decrypt
> something (an e-mail or an encrypted file) it just says, there is no
> secret key. I switched on debugging output and it tells me:
> "public key decryption failed: General error
> decryption failed: No secret key"
> I checked $ gpg -K and $gpg --card-status and so on, and it tells me
> exactly the same i can see on my other computers: there are two keys
> available on the smart-card. So I am wondering, what the problem is. The
> version of gpg is 2.0.14 on scientific linux 6.

I think that 2.0.14 doesn't work well for RSA-4096 decryption on card.
It was 2.0.20 (in 2013) which fixed this problem.  (The error message
was not kind enough, it's not correctly describe the issue.)

The problem was, in short, the size of data.  Smartcard was designed
to handle "small" data, but RSA-4096 is a way big for old design
assumptions.  In case of signing, because the signature is not that
big, it works well.  It doesn't work for decryption, since the data
size is 4096-bit (= 512-byte).  Traditionally, smartcard was designed
with the assumption of 256-byte is considered "big", and host software
for smartcard assumed data size is less than 256-byte.

More information about the Gnupg-users mailing list