gpg symmetric encryption decrypts without asking for the symmetric key when --decrypt option is used

Richard Hogaboom

7/16/23, 10:43 PM

If you encrypt with:

gpg -o gpg.symmetric.test.gpg --symmetric gpg.symmetric.test

and then decrypt with:

gpg -o gpg.symmetric.test1 --decrypt gpg.symmetric.test.gpg  # --decrypt option mistakenly included

the output gives:

gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase

and decrypts the file WITHOUT ASKING FOR THE KEY!  This would allow anybody
to decrypt any symmetrically encrypted file.  The --decrypt option is not
needed or supposed to be used, but the result is a disaster.

I tested with a small ascii text file and did a diff on the original and the
decrypted file.  They are identical.  I ran 'file' on the encrypted file:

file gpg.symmetric.test.gpg
gpg.symmetric.test.gpg: GPG symmetrically encrypted data (AES256 cipher)

I redid the test without the --decrypt option and the symmetric key was
queried for.

0 + 0

symmetric

pgp

SAI Peregrinus

7/17/23, 12:18 AM

IIRC GPG uses the default key on your machine as the encryption/decryption key, and the passphrase is to allow for decryption to work with other machines. Essentially it secretly creates and stores the actual encryption key, and then encrypts that with the passphrase and combines the encrypted key and the encrypted plaintext into the output.

SAI Peregrinus

7/17/23, 12:19 AM

On that note, I strongly recommend [age](https://age-encryption.org) over GPG for encryption, it's much easier to use.

dave_thompson_085

7/17/23, 12:59 AM

**The agent remembers it.** Crossdupe https://security.stackexchange.com/questions/103034/gnupg-decryption-not-asking-for-passphrase https://unix.stackexchange.com/questions/395875/gpg-does-not-ask-for-password https://superuser.com/questions/1346376/gpg-decrypt-not-asking-for-password-and-just-decrypting-why https://askubuntu.com/questions/1093848/gpg-decrypts-files-without-asking-for-password

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: gpg symmetric encryption decrypts without asking for the symmetric key when --decrypt option is used

TH: การเข้ารหัสแบบสมมาตร gpg ถอดรหัสโดยไม่ต้องขอคีย์สมมาตรเมื่อใช้ตัวเลือก --decrypt

RO: criptarea simetrică gpg decriptează fără a cere cheia simetrică când este utilizată opțiunea --decrypt

RU: Симметричное шифрование gpg расшифровывает без запроса симметричного ключа при использовании параметра --decrypt

VI: mã hóa đối xứng gpg giải mã mà không yêu cầu khóa đối xứng khi tùy chọn --decrypt được sử dụng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.