File Encrypted with Primary key

Peter Lebbing peter at
Sun Aug 21 12:54:15 CEST 2016

I have no experience with the software you mention. Keep that in mind
while reading my ramblings.

On 19/08/16 17:56, Scott Linnebur wrote:
> I have a suspicion that is the cause but I can’t test it.

My key looks like this:

$ gpg2 -k de500b3e
pub   rsa2048/DE500B3E 2009-11-12 [C] [expires: 2017-10-19]
uid         [ultimate] Peter Lebbing <peter at>
sub   rsa2048/DE6CDCA1 2009-11-12 [S] [expires: 2017-10-19]
sub   rsa2048/73A33BEE 2009-11-12 [E] [expires: 2017-10-19]
sub   rsa2048/B65D8246 2009-12-05 [A] [expires: 2017-10-19]

If something is encrypted to this key, gpg2 will mention the following:

$ gpg2 test.gpg
gpg: encrypted with 2048-bit RSA key, ID 73A33BEE, created 2009-11-12
      "Peter Lebbing <peter at>"

So it explicitly tells me that it was encrypted to the
encryption-capable subkey 73A33BEE. If it tells you that it was
encrypted to the primary key ID instead, I think your analysis is right.

> I can’t find
> anyway to force the primary key to encrypt

I don't think it is possible to force a key to be used in a way that is
not indicated as a capability for that key. If something encrypts to a
key that is not encryption-capable, that seems to me to be a major bug.
Subkeys and key capability flags have been around for practically
forever by now. Software that can't deal with this is not OpenPGP
compatible and probably ancient.

> and I can’t figure out how to
> generate a key pair without secondary keys in it.

It's possible, but first lets take a look if there is a different
solution. Keys that can both sign and encrypt are frowned upon. The
primary key necessarily has the Certify capability, which is a form of
signing. So it shouldn't get the Encrypt capability.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list