Error: gopenpgp: error in encrypting asymmetrically: openpgp: invalid argument: cannot encrypt a message to key id ... because the key has no valid encryption keys

[dwlpra]

I encountered an issue when trying to encrypt a message using gopenpgp. The following error message is displayed:

gopenpgp: error in encrypting asymmetrically: openpgp: invalid argument: cannot encrypt a message to key id 46e5290990b7262a because it has no valid encryption keys.

When I checked the key details using the gpg --list-keys command, here is the output:

pub   rsa2048 2014-02-05 [SCEAR]
      3DF044965B590BBB3A702BF946E5290990B7262A
uid           [ unknown] *** pgp key encryption ***
sub   rsa2048 2014-02-05 [SCEAR]

Steps to Reproduce:
I loaded my public key using gopenpgp.
When trying to encrypt a message with the public key, the error above was triggered.
Observations:
Based on the gpg --list-keys output, the key capabilities are SCEAR:

S: Sign
C: Certify
E: Encrypt
A: Authenticate
R: Subkey
However, gopenpgp considers this key invalid for encryption.

Questions:
Is there an issue with my PGP key configuration?
Does gopenpgp require specific key attributes to allow encryption?
How can I verify that my key is valid for encryption when using gopenpgp?

[twiss]

Hi 👋 Could you post the public key, or at least a similar one with which the issue can be reproduced?

[andrewgdotcom]

I don't see the public key attached here, even though I got it in my email. For the record this is the output of gpg --list-packets:

# off=0 ctb=99 tag=6 hlen=3 plen=269
:public key packet:
	version 4, algo 1, created 1391567365, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: 46E5290990B7262A
# off=272 ctb=b4 tag=13 hlen=2 plen=52
:user ID packet: "<REDACTED>"
# off=326 ctb=89 tag=2 hlen=3 plen=311
:signature packet: algo 1, keyid 46E5290990B7262A
	version 4, created 1391567365, md5len 0, sigclass 0x13
	digest algo 2, begin of digest d9 39
	hashed subpkt 2 len 4 (sig created 2014-02-05)
	hashed subpkt 9 len 4 (key does not expire)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 3 2 1)
	hashed subpkt 22 len 4 (pref-zip-algos: 2 1 3 0)
	subpkt 16 len 8 (issuer key ID 46E5290990B7262A)
	data: [2042 bits]
# off=640 ctb=b9 tag=14 hlen=3 plen=269
:public sub key packet:
	version 4, algo 1, created 1391567367, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: 763F30E04801C901
# off=912 ctb=89 tag=2 hlen=3 plen=311
:signature packet: algo 1, keyid 46E5290990B7262A
	version 4, created 1391567367, md5len 0, sigclass 0x18
	digest algo 2, begin of digest dc 7f
	hashed subpkt 2 len 4 (sig created 2014-02-05)
	hashed subpkt 9 len 4 (key does not expire)
	hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
	hashed subpkt 21 len 6 (pref-hash-algos: 10 9 8 3 2 1)
	hashed subpkt 22 len 4 (pref-zip-algos: 2 1 3 0)
	subpkt 16 len 8 (issuer key ID 46E5290990B7262A)
	data: [2046 bits]

There is no key flags subpacket in either of the self-sigs, which is interpreted inconsistently by different implementations. gnupg takes the absence of the flags to mean "all capabilities", while gopenpgp interprets it as "no capabilities".

You can fix this by editing your key and specifically setting the key flags on the subkey to be "E" only. See this guide: https://security.stackexchange.com/questions/31614/how-to-change-subkey-usage-of-a-pgp-key