Problems with two active encryption subkeys

Hauke Laging mailinglisten at
Wed Nov 10 16:21:21 CET 2010

Am Mittwoch 10 November 2010 15:38:39 schrieb Sven Klomp:

> I have a public key configuration as follows:
> Primary Key (DSA for signing other keys)
> - Sub-key 1 (Elgamal for encryption)
> - Sub-key 2 (RSA for signing mails/files)
> - Sub-key 3 (RSA for encryption)
> How does GnuPG decide, what encryption key should be used? In my tests, a
>  file or mail is always encrypted with sub-key 3.

AFAIK gpg takes the (compatible) subkey which is valid for the longest 
remaining period. Unfortunately you cannot even force gpg to use a certain 
subkey (directly): Giving a subkey ID as encryption target triggers a strange 
process: gpg looks for the main  key of this ID and then selects the subkey as 
if the main key ID had been given...

If you really want to force it then you can export the subkeys to a different 
keyring (call gpg with --no-default-keyring and --keyring and import the key), 
delete all other subkeys and start the normal encryption afterwards.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20101110/53e9be2c/attachment.pgp>

More information about the Gnupg-users mailing list