Check GPG Recipient Keys

TL;DR

You can’t directly see who can decrypt a message after you encrypt it with GPG, but you can verify the fingerprints of the public keys used for encryption to ensure you encrypted it for the intended recipients. This confirms they have the corresponding private key needed to decrypt.

How to Check Recipient Keys

1. Encrypt the Message: First, encrypt your message using GPG with the recipient’s public key(s). For example:

   gpg --encrypt --recipient 'Recipient Name ' myfile.txt

2. List Keys Used in Encryption: After encryption, use the --show-keys option with the gpg --decrypt command (even though you’re not actually decrypting). This will display information about the keys used during the encryption process.

   gpg --show-keys myfile.txt.gpg

3. Verify Fingerprints: The output from --show-keys will include key fingerprints. Carefully compare these fingerprints with the known, trusted fingerprints of your intended recipients’ public keys.
   • Obtain Trusted Fingerprints: Get the recipient’s fingerprint through a secure channel (e.g., in person, over Signal, from their website if they publish it). Do not rely on email or other potentially compromised sources for fingerprints!
   • Compare Carefully: Ensure each digit and character matches exactly. A single incorrect character means you encrypted the message for the wrong key.
4. Using Key Servers (Caution): You can search for keys on public key servers, but always verify the fingerprint independently.

   gpg --search-keys 'Recipient Name '

   Key servers are not always reliable and can be compromised. Treat results from key servers as a starting point for verification, not definitive proof.

5. Check Key Trust Levels: GPG allows you to assign trust levels to keys. If you’ve previously signed a recipient’s key (indicating you trust it), the output will reflect this.

   gpg --fingerprint 'Recipient Name '

Important Considerations

• Encryption Doesn’t Guarantee Receipt: Checking the key only confirms you encrypted for a valid key; it doesn’t prove the recipient actually received or decrypted the message.
• Compromised Keys: If a recipient’s private key is compromised after you encrypt, someone else could decrypt your message. There’s no way to know this happened retroactively.
• Revocation: Recipients can revoke their keys if they suspect compromise. Check for revocations before encrypting.

  gpg --search-revoked 'Recipient Name '