Weak encryption keys

jsmith9810 at gmx.com jsmith9810 at gmx.com
Tue Mar 23 14:31:00 CET 2021

> > I try to import this key manually (--import), gpg throws a "weak
> > encryption key" error and refuses to import it. ...which I find
> Can you please paste the exact error message and the output of
> "gpgconf --show-versions"?
> Shalom-Salam,
>    Werner

Sure. My gpgconf doesn't seem to have the "--show-versions" option.
It's the 2.2.19 release that currently ships with Ubuntu 20.04 (Focal), in case it helps.

$ gpgconf --show-versions
gpgconf: invalid option "--show-versions"

$ dpkg-query -l *gnupg*
ii  gnupg                   2.2.19-3ubuntu2.1 all          GNU privacy guard - a free PGP replacement
ii  gnupg-l10n              2.2.19-3ubuntu2.1 all          GNU privacy guard - localization files
ii  gnupg-utils             2.2.19-3ubuntu2.1 amd64        GNU privacy guard - utility programs


Here's what I get when trying to import this key:

$ gpg --debug-level expert --import /tmp/weak-key.gpg
gpg: key AFD8C1044388D9EB/AFD8C1044388D9EB: error sending to agent: Weak encryption key
gpg: error reading '/tmp/weak-key.gpg': Weak encryption key
gpg: import from '/tmp/weak-key.gpg' failed: Weak encryption key
gpg: Total number processed: 0
gpg:               imported: 1
gpg:       secret keys read: 1


If I do a force-import via secring.gpg migration to 2.x in openpgp-native format,
it's succeeds without error, the secret key is listed but none of the operations
that use this secret key work (including change-passphrase). I see the following
messages after keying in the passphrase in pinentry:

$ gpg --debug-level expert --decrypt secret.gpg
gpg: public key decryption failed: Weak encryption key
gpg: decryption failed: No secret key

$ gpg --debug-level expert --sign message.txt
gpg: signing failed: Weak encryption key

$ gpg --debug-level expert --edit-key 5DA34AB39C214001DB61D96FAFD8C1044388D9EB
gpg: key AFD8C1044388D9EB/AFD8C1044388D9EB: error changing passphrase: Weak encryption key


Interestingly, when I tried searching the latest GnuPG code base (cloned from github)
for the "Weak encryption key" error message, nothing showed up.

$ "grep -iRl "Weak encryption key" gnupg
<no matches>

More information about the Gnupg-users mailing list