Cannot decrypt using GPGSM - No Secret Key

Hi to all,

On a folder I have:

  1. a private RSA 2048 key (privatekey.pem)
  2. the public key exported form the private key (publickey.pem)
  3. the X.509 Certificate (mycert.pem) that is also imported with the command:
    gpgsm --import mycert.pem

Also this certificate is listed correctly when I issue command:
gpgsm -k (let’s say that the email is and the CN=AB)

I also have one simple data.txt file containing some text.

When I issue the encrypt command:
gpgsm -r -o data_enc.txt --armor --encrypt data.txt
I get the encrypted text. Perfect!

But when I try to decrypt, using:
gpgsm -o data_dcr.txt --decrypt data.txt
I get an error:

gpgsm: DBG: recp 0 - issuer: `1.2.840.113549.1.9.1=#747A4065642E636F6D,CN=AB,O=Internet Widgits Pty Ltd,ST=Some-State,C=GR’
gpgsm: DBG: recp 0 - serial: 00A2506CB9E81EB5E8
gpgsm: error decrypting session key: No secret key
gpgsm: decrypting session key failed: No secret key
gpgsm: message decryption failed: No secret key

Needless to say that
gpgsm --list-secret-keys just returns

So the point is, I caannot figure out how to decrypt the file using gpgsm.
Tried also to import privatekey.pem but got “no issuer…” which is normal for the private key…

Also if i use same keys private, public to encrypt/decrypt using OpenSSL (same x.509) everything works fine.

Thank you all in advance for any answers.

Hi Themis,

a precondition for CMS crypto operations is that
gpgsm --list-secret-keys
shows your private key, so please import it first (and the corresponding pubkey).

Note that you must configure the certificate chain properly for production usage,
see, otherwise use the option --disable-crl-checks.


Thank you very much Bernhard for your answer. I must say that this is what I also have understood, reading many similar articles, so I tried to:

gpgsm --import privatekey.pem

but what I get is an error importing due to “No issuer” for my private key.
And that’s ahat puzzles me, Shouldnt I be able for test/dev reasons be able to create a private, public key pair, self-sign the certificate and import it and use the public key for encryption and the private key for decryption? Why the private needs an issuer?!


Hi Themis,

good question, at least the root-CA would need to have a private key imported. :slight_smile:
(But for most use cases of Gpg4win it is not relevant,at it is a rare case that you would want to run a root CA. If you would direct trust, you could more easily use OpenPGP instead of CMS.)

As there are many CMS related standards, I do not know them all by heart.
My idea would be: Maybe the standard demands an issuer for all certificates at least the certs I’ve seen always had one, even if it was the cert itself (root certificate).

The other idea is that it is a defect.
My suggestion: Try this with gpgsm for a modern GnuPG (2.1.21) on GNU/Linux and then ask on gnupg-users@ and next on gnupg-devel@.

Best Regards,

I am trying to access my account to retrieve GRE scores but there I keep getting the no secret key message. I am using the gui version. Are there any tips?

Hi Trenton,
to help you better, can you open a new discussion topic and describe in more detail what kind of key you are using (OpenPGP or CMS)?