Bug#1137246: gnupg encrypts the home directory when using --homedir argument

Thu, 21 May 2026 09:51:13 -0700 

Package: gnupg
Version: 2.5.20-1
Severity: grave
Justification: user security hole
X-Debbugs-Cc: [email protected]

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
encrypt using --homedir argument

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

my USB dongle is Luks encrypted (here decrypted) where my --homedir gpg lie, 
with these two commands I was shocked to find ...


tar -cf - /home/zer/install-GrapheneOS/unpublic-dir | gpg --homedir 
/media/zer/10cd7cc6-991b-4a0c-a0a7-c2f11b4b01a7/gpg/.gnupglogin --encrypt 
--recipient AB7160AB39BE4FC61A4122FD6CCC936783518A02 -o 
/home/zer/install-GrapheneOS/unpublic-dir.tar.gpg


   * What was the outcome of this action?

my home directory was encrypted:

mkdir /home/zer/install-GrapheneOS/decrypted-unpublic/; gpg --homedir 
/media/zer/10cd7cc6-991b-4a0c-a0a7-c2f11b4b01a7/gpg/.gnupglogin --decrypt 
/home/zer/install-GrapheneOS/unpublic-dir.tar.gpg | tar -xf - -C 
/home/zer/install-GrapheneOS/decrypted-unpublic/

... I had encrypted my home folder into ls 
install-GrapheneOS/decrypted-unpublic/home/... 

   * What outcome did you expect instead?

I hoped the gpg agent would use keys in --homedir and encrypt the directory i 
am pointing for.

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 13.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.88+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gnupg depends on:
ii  dirmngr     2.5.20-1
ii  gnupg-l10n  2.5.20-1
ii  gpg         2.5.20-1
ii  gpg-agent   2.5.20-1
ii  gpgsm       2.5.20-1
ii  scdaemon    2.5.20-1

Versions of packages gnupg recommends:
ii  gnupg-utils     2.5.20-1
ii  gpg-wks-client  2.5.20-1
ii  gpgv            2.5.20-1

Versions of packages gnupg suggests:
pn  gpg-wks-server  <none>
pn  parcimonie      <none>
pn  xloadimage      <none>

-- no debconf information

Reply via email to