Is limit-card-insert-tries a working option?

Tony Lane codeguro at
Thu May 30 23:46:55 CEST 2019

Hash: SHA512

I don't know much about this 'pass' tool so I can't give you much advice for that.
But more importantly, your setup seems a little... odd. If I'm understanding this correctly, you have *multiple* smartcards with (what I presume are your) unique identities on each of them but registered to the same email address? I'm not sure if I understand your exact setup, but if I have it right, I don't think this is optimal.

You should have your cert-only (master key) private key stored away somewhere offline registered to your email address.
Under this cert-key, you'd have at least 2 subkeys signed by it... an encryption subkey and signing subkey. You can have more than one of these and you can specify which one to use with: gpg -u <key-id>! for signing or: gpg -e -r <key-id>! for encrypting. Note that with encrypting however, you typically use *other* people's key ids to encrypt to. Well, you could add yourself as the recipient so you could decrypt it as well.

And yes, you can use an email address and GPG will be smart enough to pick and choose which key to use. You typically don't explicitly specify key-id! for signing unless you have multiple signing subkeys and need to use a specific one, and likewise don't typically use key-id! for encrypting unless your recipients have multiple encrypting subkeys and they request you to use a specific one (perhaps they have a subkey for work-related stuff and another for at home?).
In any case you should have only one cert key and all of your subkeys stem from that.

> From what I've seen from the `pass` tool, if I'm editing an already-encrypted file, it decrypts the file - producing a copy that I can edit - and then re-encrypts the file. Here's an example from my multiple subkey setup:

>     gpg2 -e -r keyid1! -r keyid2! -r keyid3! -o content.gpg --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent /path/to/content.txt

> Where keyid1, keyid2, etc. are in the long form of 0x0123456789ABCDEF

If you're getting prompted for a passphrase multiple times for this, I think what may be happening is that a subset of your recipients' public keys are partitioned across the two smart cards. You should just have the public keys all in one card. Public encryption keys can be freely exchanged and shared without risk. 


More information about the Gnupg-users mailing list