What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file
Solution 1
Yes, you will also need to fix the permissions of the enclosing directory ~/.gnupg
Because an attacker with enough rights on the folder could manipulate folder contents.
Execute the following commands:
Make sure, the folder+contents belong to you:
chown -R $(whoami) ~/.gnupg/Correct access rights for
.gnupgand subfolders:
find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;
Explanation for 600, 700:
Lets start from the back: '00' mean NO rights AT ALL for everybody who is not the owner of the files/directories.
That means, that the process reading these (gnupg) must run as the owner of these files/directories.
~/.gnupg/ is a folder, the process reading the contents must be able to "enter" (=execute) this folder. This is the "x" Bit. It has the value "1". 7 - 6 = 1
Both ~/.gnupg/ and ~/.gnupg/* you want to be able to read and write, thats 4 + 2 = 6.
==> Only the owner of the files can read/write them now (=600). Only he can enter into the directory as well (=700)
==> These file rights don't "need" to be documented, they are derivable from the intended usage.
More info about permission notation: https://en.wikipedia.org/wiki/File_system_permissions#Notation_of_traditional_Unix_permissions
Solution 2
GnuPG by default enforces secure access privileges, which means nobody else (but you) can access your GnuPG home directory ~/.gnupg. These access privileges often are not strict enough after copying the GnuPG home directory from another machine, and very often wrong ownership is the reason of such a message.
# Set ownership to your own user and primary group
chown -R "$USER:$(id -gn)" ~/.gnupg
# Set permissions to read, write, execute for only yourself, no others
chmod 700 ~/.gnupg
# Set permissions to read, write for only yourself, no others
chmod 600 ~/.gnupg/*
If you have (for any reason) created your own folders inside ~/.gnupg, you must also additionally apply execute permissions to that folder. Folders require execution privileges to be opened.
Solution 3
These two lines will set the permissions separately and correctly for directories and files:
find ~/.gnupg -type d -exec chmod 700 {} \;
find ~/.gnupg -type f -exec chmod 600 {} \;
assuming ownership is already set correctly.
Note it does not change permissions on the sockets S.gpg-agent*. (Only the new gpg v2 involves sockets, the old gpg v1 doesn't).
Solution 4
Although Jens Erat already mentioned it in his last sentence, I think it should be stressed that any folders inside ~/.gnupg must be executable (mode 700) as well. This holds especially for the private-keys* folder that is created by gpg itself. I was stuck with permission problems for a while before I noticed this.
Related videos on Youtube
04 : 22
06 : 26
13 : 30
30 : 07
22 : 34
03 : 24
Nathan Basanese
Updated on September 18, 2022Comments
-
Nathan Basanese over 1 year
I don't want to just chmod and run until I get the right answer, nor do I want to run GnuPG as root. The easy fix would be to just set it so that only my user can read it, but I don't think that's the best way.
I get the following error when I attempt to use gpg:
gpg: WARNING: unsafe enclosing directory permissions on configuration file `/home/nb/.gnupg/gpg.conf' gpg: external program calls are disabled due to unsafe options file permissions gpg: keyserver communications error: general error gpg: keyserver receive failed: general errorGnuPG's
~/.gnupg/current status:% stat .gnupg File: ‘.gnupg’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 1bh/27d Inode: 20578751 Links: 3 Access: (0775/drwxrwxr-x) Uid: ( 1000/ nb) Gid: ( 1000/ XXXX) Access: 2015-08-09 18:14:45.937760752 -0700 Modify: 2015-08-05 20:54:32.860883569 -0700 Change: 2015-08-05 20:54:32.860883569 -0700 Birth: -The answer at the following link advises 600 permissions for the
~/gnupg/gpg.conffile, but does the enclosing folder require those permissions, too? -
Nathan Basanese almost 9 years// , Do you know if the makers of GnuPG document these specific permission levels? If they do document them, where could I find this?
-
Nathan Basanese about 7 years// , Yeah, but the error message doesn't say what the permissions should be. Do they publish that anywhere?
-
Nathan Basanese about 7 years// , Also, thanks for adding more of an explanation for those of us who aren't as familiar with the permission numbering scheme.
-
Craig Hicks over 5 yearsfind ~/.gnupg -type d -exec chmod 700 {} \; -
Nathan Basanese over 5 yearsLooks like an answer borne of experience.
-
Cobra almost 4 yearsSorry for the necro, but the order of operations matter. If you set 600 first and then 700, it won't work. Jens Erat answer has it in the correct order.
-
Alex Stragies almost 4 years@Cobra my commands include
-type fand-type dto treat files and folders differently. As such, respectfully, I believe you to be wrong. -
Cobra over 3 years@AlexStragies, that makes sense, and I realized that after posting, to be honest. However, I was still getting the same error when I ran the commands you suggested, whereas running the commands Jens suggest (and in that case, the order of the operations do matter) seemed to solve the problem.
-
Estatistics almost 3 yearsNothing of all these suggestions worked for me! I made anew question... and what i tried superuser.com/questions/1661762/…
