Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

Werner Koch wk at
Tue Feb 13 14:12:04 CET 2018

On Fri,  9 Feb 2018 14:25, ambrevar at said:

> this time the SSH key is obviously encrypted with the same passphrase as
> my GPG key, since it's part of it.  Any clue why gpg-agent keeps asking?

gpg (or correct gpg-agent) can't know which passphrase is used for each
key or subkey.  Passphrases are cached on a per subkey base and thus you
will see a passphrase query for each new subkey.

You may now wonder why this does not happen when you decrypt a mail,
reply to it and sign the reply.  Two subkeys (or the primary and the
encryption subkey) are involved in this workflow.  Because this is so
common, gpg-agent knows about it and tries the last passphrase used for
any of the the subkeys of a key.  It does not do this for an
authentication subkey, though.  Thus you have to enter it again for ssh.

Note that we can't do trial decryption using several remembered
passphrases because that would take noticeably long for the user.  For
security reasons each passphrase decryption takes about 100ms.


Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list