Silent failure when keyboxd is not running, no error or warning

Werner Koch wk at gnupg.org
Tue Sep 16 11:04:05 CEST 2025 

Hello!

> gpg: DBG: chan_4 <- ERR 134217755 Not found <Keybox>

This is debug output and no error.  Itmmereley means, well, not found.

> Behold, there was a `use-keyboxd` there. Deleting this line, I could
> use my keys again.

Pleasde let me quote a section from the README:

    Key database daemon
  
    Since version 2.3.0 it is possible to store the keys in an SQLite
    database instead of the keyring.kbx file.  This is in particular
    useful for large keyrings or if many instances of gpg and gpgsm may
    run concurrently.  This is implemented using another daemon process,
    the "keyboxd".  To enable the use of the keyboxd put the option
    "use-keyboxd" into the configuration file ~/.gnupg/common.conf or the
    global /etc/gnupg/common.conf.  See also doc/examples/common.conf.
    Only public keys and X.509 certificates are managed by the keyboxd;
    private keys are still stored as separate files.

    Since version 2.4.1 the keyboxd will be used by default for a fresh
    install; i.e. if a ~/.gnupg directory did not yet exist.

Note the two lines above and the next paragraph:

    Note that there is no automatic migration; if the use-keyboxd option
    is enabled keys are not taken from pubring.kbx.  To migrate existing
    keys to the keyboxd do this:
  
    1. Disable the keyboxd (remove use-keyboxd from common.conf)
    2. Export all public keys
         gpg --export --export-options backup  > allkeys.gpg
         gpgsm --export --armor                > allcerts.gpg
    3. Enable the keyboxd (add use-keyboxd to common.conf)
    4. Import all public keys
         gpg --import --import-options restore < allkeys.gpg
         gpgsm --import                        < allcerts.crt
  
    In case the keyboxd is not able to startup due to a stale lockfile
    created by another host, the command
  
       gpgconf --unlock pubring.db
  
    can be used to remove the lock file.

Thus depending how you installed, updated or reverted a version of GnuPG
you may end up with public keys either being in the keyboxd or in the
usual pubring.kbx file.  The private keys are always stored as separate
files below the private-keys-v1.d directory.  The way the
list--secret-keys command works is that it walks over all public keys
(pubring.kbx or keyboxd) and then print opnly those for which a matching
private key is available.

> It would have been really nice for gpg to report the internal error I
> pasted above, as "Unable to communicate with keyboxd", instead of a
> silent failure causing me to have a minor heart palpitation :)

A too high debug level may have been the cause ;-).


Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250916/d1896d7d/attachment-0001.sig>

More information about the Gnupg-users mailing list