Decryption Failure: no suitable private/secret key found for decryption

[Thomas Schneider]

Hi,
I cannot decrypt emails anymore.
The error message is pretty clear about that, however I don't understand
how to fix this issue.

Some additional information:
I exported the PGP keys to a secure card (Yubikey 5), but this is
broken and not usable anymore.
Is it possible to decrypt messages w/o this secure card?

Please advise how to fix this issue.

THX

[Olav Seyfarth]

Hi Thomas, first: Did you export an existing key to the card or create one on-card? If you exported an existing key, du you have a copy/backup of your keyring? Second: Does the card report to be valid using gnupg command line (gpg --card-status)? Are you able to sign a message use CLI (echo test | gpg --clearsign | cat)? (The last command may not work 1:1 on Windows, use test files there.) Olav

[Thomas Schneider]

Hi Olav,
I created the key on my desktop PC, in this case Arch Linux, and exported the keys to secure card.
In addition I created a backup of any key (private, sub, ...).

Yes, the secure card is reported to be valid.
This means I was able to customize the card and enter attributes like name, URL, etc.

Regards
Thomas

[Olav Seyfarth]

Good to have backups, so you can restart :)

I'm on arch, too, Did you try "echo test | gpg --clearsign | cat"?! If this does not pop up a passphrase entry dialog, you're probably just lacking that. But that whould be the same for non card-based keys, so probably that's not the cause. Anyway, can you sign?

[Thomas Schneider]

There's no pop-up asking for a passphrase.

[Olav Seyfarth]

But there definitely was one before you exported your key to the card? So on that system, you were able to sign and decrypt, yes?

[Thomas Schneider]

Honestly I cannot answer this because I created the keys in May and didn't perform any test for sign and decrypt.
However I used the encryption successully with Thunderbird+Enigmail when sending and receiving emails. I just can't remember if there was a pop-up for a passphrase or not.

But I would focus on the current issue: Enigmail complains about missing private key, but the key properties confirm that a key pair is existing.

[Olav Seyfarth]

Enigmail kind of cannot complain itself, because it just doesn't handle the keys in crypto operations at all. It just tells GnuPG to do the job. GnuPG throws that error, and Engimail reports it. That's why I urge to debug without Enigmail. If you can't sign on CLI, it's not an Enigmail issue but with underlying components.

[Thomas Schneider]

To mitigate this issue I have deleted my key from Enigmail.
The I started to reimport the private key (from my backup) to GnuPG using this command and there was no error:

PS C:\Users\d038783\.ssh> gpg --import 9518B734EC00D1C5.priv.asc
gpg: Schlüssel 0x9518B734EC00D1C5: "Thomas Schneider <thomas@biszumbitterenen.de>" nicht geändert
gpg: Um 'secring.gpg' zu migrieren sollte für jede Smartcard "gpg --card-status" aufgerufen werden.
gpg: Schlüssel 0x9518B734EC00D1C5: geheimer Schlüssel importiert
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                             unverändert: 1
gpg:              gelesene geheime Schlüssel: 1
gpg:            geheime Schlüssel importiert: 1

In Enigmail I can verify this and display the key properties showing type "key pair".

However the issue is not solved.

What's also weired is that the subkeys are marked as "Stub".
It is true that I have exported the subkeys to a secure key (Yubikey 5), however the keys don't exist on the secure key anymore and I think "Stub" should be removed from subkeys.

PS C:\Users\d038783\.ssh> gpg -K
C:/Users/d038783/gnupg/pubring.kbx
----------------------------------
sec   rsa4096/0x9518B734EC00D1C5 2020-01-06 [C]
  Schl.-Fingerabdruck = 04C7 C747 16E5 7122 9EA9  C9F6 9518 B734 EC00 D1C5
uid                [ ultimativ ] Thomas Schneider <thomas@biszumbitterenen.de>
uid                [ ultimativ ] Thomas Schneider <74cmonty@gmail.com>
uid                [ ultimativ ] Thomas Schneider <c.monty@web.de>
ssb#  rsa4096/0xE59C16068930A3FE 2020-01-06 [A] [verfällt: 2021-01-05]
ssb#  rsa4096/0x26CDC641386A1DB8 2020-01-06 [S] [verfällt: 2021-01-05]
ssb#  rsa4096/0x78C8B0F493AB97C8 2020-01-06 [E] [verfällt: 2021-01-05]

[Olav Seyfarth]

I have deleted my key from Enigmail.

So you deleted public AND secret key, yes? You'd also have to reset the card since it's rebuild from the card otherwise. Re-importing allows you to take notes on all steps, but should yield the same (non-working) result. Mind that merging secret keys at least some years ago wasn't possible, so make sure you really clean start.

Since you have a backup, I'd do this to investigate:

• create a new non-card test key, verify that operations work: sign/verify, encrypt/decrypt
• create a new on-card test key, try if you can sign on CLI, only then try with Enigmail

'
It most probably is not an enigmail issue and you should ask Yubikey and GnuPG forums/lists for help. It would be helpful for other Enigmail users if you could post your findings/solution here, too.

[Thomas Schneider]

Update:
I have generated a new key pair and revoked my old key.
There are no issues with Enigmail as of now, I just can't decrypt the emails with the old key.

[Olav Seyfarth]

Did you mean "I just can't decrypt the emails with the old key."? At least that's what you wrote in your initial post.

[Thomas Schneider]

This is correct.
I have adjusted my previous posting.