52

When trying to encrypt files, I get the following error in KGpg editor window:

The encryption failed with error code 2

On the command line I get:

$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
 ---------------------------------
pub   2048D/5E04B919 2012-02-02 [expires: 2016-02-01]
uid                  Firstname Lastname <email.address@domain.com>
uid                  [jpeg image of size 4005]

$ 
$ gpg --encrypt file-to-encrypt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: email.address@domain.com
No such user ID.

This used to work both with editor and on the command line with the same key. The Current recipients: is empty. Why is that?

UPDATE:

When trying to specify the user ID on the command line using the -r option, I get the following:

$ gpg -r email.address@domain.com --encrypt file-to-encrypt
gpg: email.address@domain.com: skipped: unusable public key
gpg: file-to-encrypt: encryption failed: unusable public key

Info: 

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.10
Release:        12.10
Codename:       quantal

$ dpkg -s gnupg
Package: gnupg
Status: install ok installed
Priority: important
Section: utils
Installed-Size: 1936
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 1.4.11-3ubuntu4.4
marekful
  • 1,181
  • 1
  • 8
  • 11

5 Answers5

56

I figured out what the problem and solution was so I give an answer with details should anyone run into the same problem, it may be helpful.

The problem is somewhat ambiguous, no really informative error message is given.

It turned out that the encryption sub-key was expired. Strangely, gpg --list-keys did NOT show the expired sub-key!! Once the sub-key expiry was extended, it was included in the output of gpg --list-keys.

Also, KGpg does not show in any way that the sub-key is expired nor it allows to extend the expiry of the sub-key (only the main key's expiry can be changed).

The output of gpg --list-keys before the solution (I changed personal details):

$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
---------------------------------
pub   2048D/5E04B919 2012-02-02 [expires: 2016-02-01]
uid                  Firstname Lastname <email.address@domain.com>
uid                  [jpeg image of size 4005]

Nothing more.

However, gpg --edit 5E04B919 showed that the sub-key is expired

$ gpg --edit 16AE78C5
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048D/5E04B919  created: 2012-02-02  expires: 2016-02-01  usage: SCA 
                     trust: ultimate      validity: ultimate
sub  1024g/16AE78C5  created: 2012-02-02  expired: 2014-02-01  usage: E   
[ultimate] (1). Firstname Lastname <email.address@domain.com>
[ultimate] (2)  [jpeg image of size 4005]

gpg>

After some Google search, I found this mailing list archive which pointed me to the right direction to extend the expiry of the sub-key using gpg command line:

http://lists.gnupg.org/pipermail/gnupg-users/2005-June/026063.html

For completeness, here's the relevant segment from the above linked mailing list archive:

gpg --edit-key [key ID]

then Command> key N where N is the subkey's index. e.g. if the subkey whose validity you want to extend is the first listed subkey, or if it is the only listed subkey, then the command would be

Command> key 1

this will put a * after the word sub, indicating that this particular subkey has been selected. then

Command> expire

and follow the prompts. Hope this works for you, it works for me (Macintosh OS X 10.4.1) Charly

I followed the instructions and extended the sub-key expiry. After this gpg --list-keys gave a different output:

$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
---------------------------------
pub   2048D/5E04B919 2012-02-02 [expires: 2016-03-12]
uid                  Firstname Lastname <email.address@domain.com>
uid                  [jpeg image of size 4005]
sub   1024g/16AE78C5 2012-02-02 [expires: 2016-03-12]

After this, everything was back to normal, I could encrypt files, etc.

marekful
  • 1,181
  • 1
  • 8
  • 11
  • 4
    Latest gpg tool allows `--edit-key`. and the way to do it is interactively within the gpg tool, `gpg> key 1` . then `gpg> expire` then follow the prompts. – Cheeso Nov 22 '17 at 22:27
  • 2
    I think `gpg -vv --list-keys` will also show expired subkeys (`-vv` raising the verbosity leverl). – Felix Sep 10 '20 at 08:00
  • you should copy the instructions you linked to into your answer in case the link goes down – Milton Dec 24 '21 at 13:39
11

In my case I imported my key (gpg --import path/to/key) generated on other machine.

But I could not use it because it was untrusted.

I executed gpg --edit-key "MY KEY ID" trust and set up trust level 5.

After that my key became trusted and now I can use it for encryption.

mixel
  • 211
  • 2
  • 3
  • I think your case is quite unrelated to the situation when a trusted and valid key has an expired encryption sub-key. You were probably only dealing with a valid key which has not been set as trusted in your particular keychain. Nevertheless, thanks for the info. – marekful Mar 04 '17 at 01:09
  • 6
    Yes, it's unrelated to your particular case but this question was the first result when I searched the web for solution for my issue so I added answer here to help others. – mixel Mar 04 '17 at 01:24
2

You need to specify the key that you want to use for encryption, so the command you need in this case is gpg -r email.address@domain.com --encrypt file-to-encrypt.

Tim Lamballais
  • 282
  • 1
  • 4
  • Thanks Tim, please see my update. Like I said, encryption with the same key did work some time ago. Any idea why the public key rendered unusable? – marekful Mar 13 '14 at 12:17
  • Hmmm, what is the key type? The output of `gpg --list-keys` looks like it doesn't include an encryption subkey in the ring, so that's probably your problem. (It looks like you just have a DSA key, which is used for signing only). Did you do an export/import of keys recently? – Tim Lamballais Mar 13 '14 at 12:33
  • What is the output opf `gpg --edit-key 5E04B919`? – Tim Lamballais Mar 13 '14 at 12:36
  • Thanks for input Tim. It turned out the sub-key was expired. Strangely, `gpg --list-keys` did NOT show the expired sub-key!! (I still have the output on my console.) Once the sub-key expiry was extended, it was included in the output of `gpg --list-keys`. Also, KGpg does not show this nor it allows to extend the expiry of the sub-key (only the main key's expiry can be edited). – marekful Mar 13 '14 at 15:18
1

I faced the same problem (expired public key) and came across this thread. The solution suggested marekful, although very useful, only works if you have access to the (corresponding) secret key.

Since in my case this precondition did not hold, I eventually went ahead and changed my system time to an earlier date (when the key was still valid). This resulted in a avoiding the skipped: unusable public key message.

I am aware that it is not a good practice to use expired keys. Use this as a last resort if the situation absolutely demands it.

Community
  • 1
kung_fu_coder
  • 11
  • 2
1

I had a similar problem, and found this thread, and in my case I had exported my secret key on one computer, and imported it on the new computer.

When I tried encrypting a file, I got the unusable public key message.

gpg --sign --encrypt -r <mykey> -u <mykey> file.tar
gpg: <mykey>: skipped: Unusable public key
gpg: file.tar: sign+encrypt failed: Unusable public key

The command I used on original computer was:

gpg --export-secret-keys --export-options export-clean --armor <key id>

When I imported it on the new system, it worked fine for signing git commits, but failed when I tried encrypting a file.

In my case, the public key was missing the sub-key, and my solution was to export my public key too with this command:

gpg --export --armor --export-options export-clean,export-minimal --output pubkey.asc

When I imported the public key on the new computer, the output was:

gpg: Total number processed: 1
gpg:            new subkeys: 1
gpg:         new signatures: 4

I could then use the key just fine for encrypting a file.

m0j0
  • 111
  • 3