gpg asks for the same passphrase each time it uses new subkey

Peter Lebbing peter at
Thu Feb 20 11:06:27 CET 2014

On 17/02/14 13:21, Luis Ressel wrote:
> Huh? It shouldn't be neccessary at all to enter your passphrase for
> encryption...

I think Faru meant that he/she had at some point already given the passphrase
for decryption with his GnuPG key, but that he/she didn't expect to be prompted
again when signing with the same GnuPG certificate. I'm using the term
certificate here to refer to the whole of the primary key and all subkeys.

The reason that you're prompted twice is that there is no technical reason why
the passwords for different subkeys need to be the same. Since different
passwords is such an exotic configuration, there is no "proper" command to
achieve this, but it is technically possible[1]. This means that GnuPG actually
really doesn't know the password for the signing subkey. It won't just try the
password for the decryption key to see if that happens to fit; it will ask for
the password.

So you could arrange for the password to be asked on the start of your session
by simply having this execute at the start of your session:

$ echo dummy | gpg2 -s >/dev/null

The command you mentioned (gpg se | gpg d) would ask for two passwords, one for
signing, and one for decryption.

Obviously, you would need to set the time to live for the passphrase large
enough for it to still be valid when the cron job runs.

An alternative is a passphraseless separate signing key that you only use to
sign your backups. This has different security properties; you need to assess
which is best for you.



[1] If someone is interested, I can show how you can do this. But you could also
try to search the mailing list for it, because it has been done before :).

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list