I Can't Encrypt!

What to do when you have a public key in your GPGTools GPG Keychain but you can't encrypt anything with it.

By Matthew Malinowski, 2013-05-29


I use PGP to encrypt sensitive stuff sent over email. 99% of the time, thanks to the ongoing heroism of the folks at GPGTools, "It Just Works".

But, for the past few weeks, I've had a coworker who keeps generating new keypairs and sending me public keys, but I couldn't seem to encrypt anything with them. The public key imports into GPG Keychain just fine, but when I go to encrypt something, her name didn't appear in the list.

Her key was distinctly different from every other key in my keychain in that it had no subkey, it only had a master key.

I'd never had to think about subkeys before, but they're pretty straightforward. The Debian wiki explains thusly:

...subkeys...are like the normal keys, except they're bound to a master key pair. A subkey can be used for signing or for encryption. The really useful part of subkeys is that they can be revoked independently of the master keys, and also stored separately from them.

In other words, subkeys are like a separate key pair, but automatically associated with your main key pair.

GnuPG actually uses a signing-only key as the master key, and creates an encryption subkey automatically. Without a subkey for encryption, you can't have encrypted e-mails with GnuPG at all.

My theory is that GPGTools/MacGPG2 are (were) following the GnuPG "standard", and using the master key for signing-only and the subkey for encryption. The lack of subkey in my coworker's public key file meant no encrypting.

This GPGTools support thread helped me figure this out. Everything's basically the same, my coworker is even generating her key on Windows.

To fix this problem, you can try to get the public key owner to generate their keypair "properly" and/or you can update GPGTools. Just use the regular installer, no need to use the nightlys. Recent versions will let you encrypt stuff using the master key.


Back to Blog Index...