Decryption problem

I have a Nitrokey Pro, loaded with a key:

Reader ...........: 20A0:4108:00003C130000000000000000:0
Application ID ...: D276000124010201000500003C130000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 00003C13
Name of cardholder: My Name
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 3
Signature key ....: 2ECE 60C9 E68D AD15 408A  5321 6992 5DE2 9347 9CA1
  created ....: 2017-01-05 16:41:09
Encryption key....: F9FC A2AE 1751 D08A 59DC  0025 D625 27FB C5AE A46D
  created ....: 2017-01-05 16:41:09
Authentication key: 9ADB 66DB CD4E 2A24 CFD1  E878 0ADC F71C 0A10 E054
  created ....: 2017-01-05 16:49:39
General key info..: pub  rsa4096/69925DE293479CA1 2017-01-05 My Name <>
sec>  rsa4096/69925DE293479CA1  created: 2017-01-05  expires: never
                            card-no: 0005 00003C13
ssb>  rsa4096/D62527FBC5AEA46D  created: 2017-01-05  expires: never
                            card-no: 0005 00003C13
ssb>  rsa4096/0ADCF71C0A10E054  created: 2017-01-05  expires: never
                            card-no: 0005 00003C13

Now, I can easily encrypt with public key:

echo "abcdefg" > msg.txt
gpg -e ./msg.txt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: 2ECE60C9E68DAD15408A532169925DE293479CA1

But I can’t decrypt it afterwards:

gpg -d ./msg.txt.gpg
gpg: encrypted with 4096-bit RSA key, ID 0ADCF71C0A10E054, created 2017-01-05
      "My Name <>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key

Any ideas what I’m doing wrong?


I think you should try with the ID of the pub key (69925DE293479CA1) instead of Signature key or just put in the mail address instead (what I prefer in most cases), GnuPG will handle it well.

Kind regards


it doesn’t help, whichever key Id I use, upon decryption it tells me that it was encrypted with 0ADCF71C0A10E054, which according to gpg --card-status is authentication key - why would it encrypt with authentication key?

Selecting by email will not work, as I have few old keys for that email.


it seems I’ve found the reason for my problem. For some reason when I was creating authentication key I didn’t de-select options for signing and encryption on that key. The problem is, that if you have encryption (E) subkey and an (incorrectly) created authentication subkey with encryption also enabled (EA or SEA) then gpg insists on using the second one to encrypt, but when decrypting Nitrokey (or gpg?) will not allow to use the authentication key for that.

Quite convoluted issue, but I’m happy it works for me now (after creating new keys)

1 Like

I’m glad you found the issue and let us know!