There are scenarios where you're striving to decrypt base64 encoded Vault unseal keys that are generated using GNU PGP (GPG) but are encountering the CLI error message: No secret key
when performing:
# // base64 encoded Vault unseal key:
b64_k1='...=='
echo "${b64_k1}" | base64 --decode | gpg -dqv
gpg: public key is 49107CFC1EBBE23D
gpg: decryption failed: No secret key
The same steps that's confirmed as working with the GPG CLI and it's configuration in Vault 1.12.x or earlier versions are now failing with new clusters during the initial init operations with Vault 1.13.x or higher versions.
The GPG error message: No secret key
is typically related to the OS configuration and setting of GPG including for example permissions & privileged execution rights as discussed on an example StackOverflow thread:
If none of the suggestions related to the GPG-Agent, privileges or permissions are applicable then in cases where keys with ECDH algorithms are used then considerations for the GPG version should be made to use the latest that's GPG 2.2.21 or higher (2.4.4) which include:
https://dev.gnupg.org/source/gnupg/browse/master/NEWS$1212
Changes also found in 2.2.21:
* gpg: Allow for extra padding in ECDH. [#4908]
Vault 1.12.x or earlier version(s) may be without any issue when ECDH & GPG 2.2.19 or earlier are in use however Vault 1.13 and higher require GPG 2.2.1 or an even more recent versions instead. If you're using ECDH then upgrade to GPG 2.2.21 or more recent versions like: 2.4.4, 2.5.0 or higher.