Implications of a common private keys directory in 2.1

Peter Lebbing peter at
Sat Dec 3 18:41:05 CET 2016

On 03/12/16 18:21, MFPA wrote:
> If the recipients are hidden, doesn't GnuPG first try the key set
> with --default-key, followed by any keys set with --try-secret-key?

Hey, I didn't know that! Thanks!

> That is sufficient for your smartcard and known-hidden-key examples,
> but not for Caro's situation.

The smartcard case seems to work anyway, in a test it seems to be tried
only after the on-disk keys.

It is indeed sufficient for the known-hidden-key example, but not for
the case with known recipients. I just tried, if there are two secret
keys that are encrypted to and they are named, it will try them in
order, no matter --default-key. Perhaps --default-key could be extended
to always try that first?

> And I don't think --try-secret-key can be followed by
> --skip-hidden-recipients to mean "try this/these key(s) and if they
> won't decrypt it, give up on hidden recipients".

I think in fact --default-key is enough... I just tried with GnuPG 2.1,
and it only tried that secret key. Any additional keys need to be added
via --try-secret-key or --try-all-secrets. So it seems to complete solve
the hidden recipient problem, only the known multiple recipients problem



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list