Page MenuHome GnuPG

gpg: decryption failed: No secret key <= after debian upgrade from Jessie to Stretch
Closed, ResolvedPublic


Upgrading from Jessie to Stretch seems to have crossed this line where gpg 2.1.18 is now in action. So when "gpg -d" is executed on a past e-mail, the output is "gpg: decryption failed: No secret key". This file exists:


The man page says that's an old file, and mentions this file:


File indicating that a migration to GnuPG 2.1 has been done.

That file also exists and is zero in size. Yet I still cannot decrypt my email. The FaQ says:

"To ease the migration to the no-secring method, gpg detects the presence of a secring.gpg and converts the keys on-the-fly to the the key store of gpg-agent (this is the private-keys-v1.d directory below the GnuPG home directory (~/.gnupg)). This is done only once and an existing secring.gpg is then not anymore touched by gpg."

That apparently did not happen correctly. The directory ~/.gnupg/private-keys-v1.d exists but it is empty.

Note that I did not use debian's "dist-upgrade" tool. Instead I installed Debian Stretch from scratch, and copied my $HOME contents.



Event Timeline

I got it working.. turns out I had to force a migration by doing an rm ~/.gnupg/.gpg-v21-migrated.

I think it's still a bug though, because the file ~/.gnupg/.gpg-v21-migrated should not have been created in the absence of the secring.gpg file. Anyone who copies the $HOME data after installation will get burnt as I did.

Did you run gpg before your copying $HOME data and after your installation of Stretch?
That gpg invocation create the file ~/.gnupg/.gpg-v21-migrated, which marks "the migration finished".


I don't recall, but I suppose I did. It may not have been a manual invocation, but possibly a batch job from mutt or something.

werner triaged this task as Normal priority.Apr 17 2018, 8:08 PM
werner claimed this task.
werner edited projects, added Support; removed Bug Report.
werner added a subscriber: werner.

Thanks for your follwup. Let me remark that it is sufficient to stop all gnupg processes (pkill gpg-agent) and then rename the ~/.gnupg to .gnupg-save-NNNN. This way you have a backup and gpg will create a new ~/.gnupg.

The user tried to sneak in an ad link and he has thus been banned. Here is his probably AI generated comment for documentation:

It seems like you're having trouble decrypting an old email after upgrading to Debian Stretch and encountering issues with the GnuPG version 2.1.18. It appears that you have followed the recommended migration process by having the .gpg-v21-migrated file and the empty private-keys-v1.d directory. However, you are still unable to decrypt your email [redacted].

It's possible that the migration process didn't go as smoothly as it should have. You may want to try manually importing your old secret keys into the new key store using the command "gpg --import /path/to/secret/key/file". Once you have imported your old keys, try decrypting the email again using "gpg -d".

If that doesn't work, you may want to try backing up your GnuPG keyrings and then completely removing GnuPG and all its associated files, including ~/.gnupg, and then reinstalling it from scratch. Once you have reinstalled GnuPG, you can import your old keys and try decrypting your email again.

It's important to note that GnuPG 2.1 and later versions no longer use the secring.gpg file, as private keys are now stored in the private-keys-v1.d directory. It's possible that your old secret keys were not properly migrated to the new key store, which is causing the decryption failure.

I hope this helps resolve your issue and you are able to successfully decrypt your email.