Cannot decrypt from smartcard using gnupg-2.2, can from 2.0

alejandro Cortez alejacortez69 at
Fri Oct 11 20:53:03 CEST 2019

Working version:
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3

Not working version:
gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

I put the same subkey on all 3 slots of a Nitrokey Pro maybe about a year
ago and have been encrypting/decrypting (sometimes signing, sometimes not)
for myself and for/from other people during that time. I've used the
smartcard on 3 different hosts (also 14.04) by using fetch and running
card-status. On gnupg-2.2, whether signed or not, attempting to decrypt a
file with me as the recipient fails with:

gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

It shows that the file was encrypted with my subkey fingerprint. I can
encrypt and sign with gnupg-2.2, just not the reverse. It does not matter
if the file I am trying to decrypt was created from one of my 14.04 hosts
or with the 18.04 host. The 18.04 host simply cannot decrypt it.

To be complete about how I set up the card: I imported the subkey into a
fresh .gnupg, ran card-edit, toggle, key 1, keytocard, chose the slot,
saved, wiped .gnupg (and restarted the agent) and repeated the process for
the other 2 slots and finally wiping .gnupg and using card-edit, fetch, and
card-status to re-initialize.

Both 2.0 and 2.2 show sec#, uid, and ssb> when running -K.
show-unusable-uids,show-unusable-subkeys does not change the output. There
are no other UIDs or subkeys and both master and sub are set to never

If I import the master or the detached subkey by themselves into a clean
18.04 environment, it works. Only the smartcard does not work. Can anyone
help debug this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list