Main encryption subkey

Dmitry Dzhus dima at dzhus.org
Fri Sep 21 11:49:17 CEST 2012


How are you gentlemen!

I've generated a keypair of two non-expiring RSA keys (SC and E). In
addition to them I created 3 expiring subkeys for S/E/A to be used
with my smartcard. My computer keyring contains public parts for all
the keys and stubs for secret parts of 3 smartcard keys. Full secret
keyring is stored in a secure location.

Here's my public keyring:

    pub  2048R/377EBC45  created: 2012-09-20  expires: never       usage: SC  
                         trust: ultimate      validity: ultimate
    sub  2048R/3A61AC1C  created: 2012-09-20  expires: 2013-09-20  usage: S   
    sub  2048R/22F8E3BB  created: 2012-09-20  expires: 2013-09-20  usage: E   
    sub  2048R/1BC713CC  created: 2012-09-20  expires: 2013-09-20  usage: A   
    sub  2048R/46503FAD  created: 2012-09-20  expires: never       usage: E   
    [ultimate] (1). Dmitry Dzhus <dima at dzhus.org>

46503FAD is the key created when generating the original keypair.
Three expiring subkeys are those for the card.

Now that I've pushed my keys to keyservers, my concern is how GnuPG
will pick an encryption subkey when people try to encrypt a message
for me, and won't it be confusing for others to see a several
encryption subkeys on my keyring?

Since I have only 22F8E3BB easily accessible from my smartcard, it's
the key I'd prefer to be used. Apparently GnuPG's behaviour matches
this intent:

    dzhus at glacier ~ $ LC_ALL="C" gpg -v -r Dzhus -e passwords
    gpg: using PGP trust model
    gpg: using subkey 22F8E3BB instead of primary key 377EBC45
    gpg: This key belongs to us
    gpg: reading from `passwords'
    gpg: writing to `passwords.gpg'
    gpg: RSA/AES256 encrypted for: "22F8E3BB Dmitry Dzhus <dima at dzhus.org>"
    dzhus at glacier ~ $ LC_ALL="C" gpg -v -r 46503FAD -e passwords
    gpg: using subkey 22F8E3BB instead of primary key 377EBC45
    gpg: using PGP trust model
    gpg: This key belongs to us
    gpg: reading from `passwords'
    gpg: writing to `passwords.gpg'
    gpg: RSA/AES256 encrypted for: "22F8E3BB Dmitry Dzhus <dima at dzhus.org>"

Does GnuPG pick the most recent key?



More information about the Gnupg-users mailing list