Gpg cannot unlock passphrase-less key: “gpg: public key decryption failed: No passphrase given”

encryptiongpgpgp

I have a gpg setup started with older gpg versions and I did not use a passphrase back then. I would type enter directly when prompted for it. I'm not sure if that means the key isn't encrypted or if it is encrypted with an empty passphrase.

Regardless, when I try to decrypt something that was sent to me recently, gpg needs access to my private key and prompts me for a passphrase but now I cannot use an empty passphrase anymore. gpg fails with:

$ gpg -d foo.asc
(X dialog that prompts me for passphrase, I just press enter)
gpg: public key decryption failed: No passphrase given
gpg: decryption failed: No secret key

I would like to be able to use my keys again. I don't mind setting a passphrase from now on but I don't know how:

$ gpg --passwd xxxxxxx@xxxxxxx.com
(X dialog that prompts me for current passphrase, I just press enter)
gpg: key xxxxxxxxxxxxxxxx/aaaaaaaaaaaaaaaa: error changing passphrase: No passphrase given
gpg: key xxxxxxxxxxxxxxxx/bbbbbbbbbbbbbbbb: error changing passphrase: No passphrase given
gpg: error changing the passphrase for 'xxxxxxx@xxxxxxx.com': No passphrase given

I am running gpg (GnuPG) 2.2.5 and libgcrypt 1.8.2 on openSUSE 15.0.

Best Answer

I solved this by using an older system which had the key.

  • I set a new passphrase on the old system where empty-passphrase input works.
  • Export old system private key and copy it over new system
  • Clean gpg state of new system (move .gnupg to .gnupg.bak)
  • Import the non-empty passphrase private key

Here are the commands I ran:

# put a non-empty passphrase on current key
me@old$ gpg --passwd xxxx@xxxx.com
(leave empty on first prompt)
(put a new non-empty passphrase on 2nd)
(confirm new passphrase)

# now we export it

me@old$ gpg --list-secret-keys                               
/home/xxxxx/.gnupg/secring.gpg
-------------------------------
sec   4096R/AAAAAAAA 2015-01-01
uid                  Foo Bar <xxxx@xxxxx.com>
uid                  Bar Foo <xxxx@yyyyy.com>
ssb   4096R/BBBBBBBB 2015-01-01

# I've used the first key id (should be 8 hex digits)
me@old$ gpg --export-secret-keys AAAAAAAA > priv.key

# copy key over new system

# backup .gnupg dir just in case
me@new$ mv .gnupg .gnupg.back
# import new priv key
me@new$ gpg --import priv.key
(type new passphrase set previously)

# done!

For completeness sake here are the software versions of both systems, maybe that can help someone:

New system (cannot input empty passphrase) software version:

  • gpg (GnuPG) 2.2.5
  • libgcrypt 1.8.2
  • pinentry-curses (pinentry) 1.1.0

Old system (can input empty passphrase) software version:

  • gpg (GnuPG) 2.0.24
  • libgcrypt 1.6.1
  • pinentry-curses (pinentry) 0.8.3
Related Question