AWS Airflow (mwaa) and decryption using Python gnupg library

Hello,

has anybody able to achieve decryption of file in AWS Airflow using gnupg decrypt_file?
I get the below error

gpg: encrypted with rsa2048 key, ID 663F6D92B5XXXX, created 2022-07-28
      "XXXXX"
gpg: error running '/usr/bin/gpg-agent': probably not installed
gpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error
gpg: can't connect to the gpg-agent: Configuration error
gpg: error running '/usr/bin/gpg-agent': probably not installed
gpg: failed to start gpg-agent '/usr/bin/gpg-agent': Configuration error
gpg: can't connect to the gpg-agent: Configuration error
gpg: keydb_search failed: No agent running
[GNUPG:] NO_SECKEY 663F6D92B5******
gpg: public key decryption failed: No secret key
[GNUPG:] ERROR pkdecrypt_failed 33554449
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION

I imported the private key and I can see the key under subkeys when doing a list_keys.
Any help would be much appreciated.

Hi @sg-schaudhuri ,

can you give use the version of GnuPG that is installed there and the GNU/Linux distribution used for the image?

(Calling gpg --version should give you some details about the version. Then cat cat /etc/os-release potentially gives you details about the GNU/Linux distribution. Then you need a distribution depending command to find out where gnupg came from and how you could get gpg-agent.)

The installation seems incomplete as gpg-agent is needed to do crypto operations. Have you checked if it is installed and how you could install it?

The machine is a Amazon Linux 2023 and the package installed is gnupg2-minimal-2.3.7-1.amzn2023.0.4.x86_64

According to GNU Privacy Guard (GNUPG) - Amazon Linux 2023
you need to do

dnf swap gnupg2-minimal gnupg2-full

to use a secret key.

1 Like

That was indeed the solution! Thank yo so much Bernhard!

@bernhard Iā€™m facing the same issue but I seem to have the full gnupg installation but still getting the gpg-agent not found error.

gpg --version:

gpg (GnuPG) 2.3.7
libgcrypt 1.10.2-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /usr/local/airflow/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224

cat /etc/os-release: PRETTY_NAME="Amazon Linux 2023.6.20241121"

I tried running gpg-agent --version but it is not installed. Could you advice?

Can you please show the outputs of these commands?

dnf info gnupg2-full
dnf list installed | grep gnupg
1 Like

Thank you @swagner !

Running those two commands confirms that I indeed have the minimal version

The first command errors out while the second one returns this

gnupg2-minimal.x86_64 2.3.7-1.amzn2023.0.4 @System

I was able to perform the encryption after swapping the minimal version with the full version

dnf swap gnupg2-minimal gnupg2-full