Checking multiple smart cards before asking for one

Ingo Klöcker kloecker at kde.org
Tue May 12 16:38:41 CEST 2020


On Dienstag, 12. Mai 2020 10:56:19 CEST Valentin Ochs wrote:
> Hi there,
> 
> I have two smart cards, a regular card that I plug into the builtin reader
> of my laptop and a yubikey, that have two different keys on them. I store
> some passwords in a file that is encrypted with both keys.
> 
> When I try to access the passwords, pinentry will always ask me to insert
> the yubikey first, even if the other card is already inserted.
> 
> Is there a way to define the order this is checked per machine (the laptop
> will usually use the card reader, other machines the yubikey), or to force
> gpg to check for all cards before asking me to provide one? I'm up for
> trying to patch this myself, if somebody will point me in a rough direction

Maybe you should optimize for what appears to be your usual scenario (laptop + 
card reader versus other machines + yubikey) and simply remove the yubikey key 
from the laptop and the card reader key from the other machines. 

If gpg only knows about one of the two keys, then it shouldn't ask for the 
wrong key. If you ever want to use the yubikey on the laptop, then you can 
simply (re-)import the yubikey key on the laptop.

The downside is that this will make synchronization of ~/.gnupg between your 
laptop and the other machines more difficult. But then you really only need a 
single key per machine for decrypting your passwords, i.e. you could use 
dedicated GNUPG_HOMEs just for the encryption keys.

Regards,
Ingo






More information about the Gnupg-users mailing list