Skip to main content
Documentation

Troubleshooting GPG

GPG Key is Expired

Expired GPG/PGP keys cannot be used. Replace the expired keys with updated keys.

File Too Large

Files with a size greater than 5 GB are not supported for either encryption or decryption. Make sure that files are smaller than 5 GB before encryption or decryption.

Key Import Errors

The most common errors come from importing GPG keys incorrectly.

Key Has Expired

An import error message of contains an invalid public key: key has expired means the public key is expired. Expired public keys cannot be used to encrypt data and cannot be imported. Contact the key's provider and ask for a replacement unexpired key.

An import error message of contains an invalid private key: key has expired means the private key is expired. Expired private keys cannot be used to sign or decrypt data and cannot be imported. Contact the key's provider and ask for a replacement unexpired key.

Password is Missing

The contains an invalid private key: Private key password is missing error message means the private key requires a password (passphrase) and one was not provided.

Provide the password (passphrase) that was used to protect the private key.

Incorrect Private Key Password

The contains an invalid private key: Incorrect private key password error message means the password (passphrase) provided does not match the one used to protect the private key.

Provide the correct password (passphrase) that was used to protect the private key.

Password Not Required

The contains an invalid private key: Password present but private key does not require one error message means the private key does not require a password (passphrase), but one was provided.

Remove the password (passphrase) from the input form and retry the import.

Key Mismatch

When importing a key pair, the fingerprints of the public and private keys must match. If the fingerprints don't match, contact the key's provider and ask for a matching key pair.

The public key to private key mismatch error message means the public and private keys in the imported pair do not correspond to each other.

Whenever possible, the error message includes details about the keys, including the user ID (key owner) and fingerprint.

Keys do not have to be imported as pairs. You can import public or private keys independently. Only import a key pair together when they are a matching pair.

You can also double-check a key pair mismatch using the GPG command line application. Use the command gpg --list-packets <keyfile> to see details about a key. When comparing a private and public key, the output shows matching keyid: and hashed subpkt 33 len 21 entries. If these values differ, the keys are not a matching pair.

Example cropped output for matching keys, showing the relevant sections containing the keyid: and hashed subpkt 33 fingerprint:

% gpg --list-packets PUBLIC_keyfile.pem
# off=0 ctb=c6 tag=6 hlen=3 plen=525 new-ctb
:public key packet:
	...
	keyid: 7EA2B584CEBEE146
# off=528 ctb=cd tag=13 hlen=2 plen=44 new-ctb
:user ID packet: "My Key <my.email@files.com>"
# off=574 ctb=c2 tag=2 hlen=3 plen=586 new-ctb
:signature packet: algo 1, keyid 7EA2B584CEBEE146
	...
	hashed subpkt 33 len 21 (issuer fpr v4 B852EA7705D7875D927681957EA2B584CEBEE146)
	...

% gpg --list-packets PRIVATE_keyfile.pem
# off=0 ctb=c5 tag=5 hlen=3 plen=1816 new-ctb
:secret key packet:
	...
	keyid: 7EA2B584CEBEE146
# off=1819 ctb=cd tag=13 hlen=2 plen=44 new-ctb
:user ID packet: "My Key <my.email@files.com>"
# off=1865 ctb=c2 tag=2 hlen=3 plen=586 new-ctb
:signature packet: algo 1, keyid 7EA2B584CEBEE146
	...
	hashed subpkt 33 len 21 (issuer fpr v4 B852EA7705D7875D927681957EA2B584CEBEE146)
	...

In the output above, the values for keyid: and hashed subpkt 33 len 21 must match across the public and private keys. Keys with differing keyid: values, or differing hashed subpkt 33 len 21 values, are not a matched pair.