prefered key/subkey for decryption
maxime.deroucy at gmail.com
maxime.deroucy at gmail.com
Tue Dec 5 00:00:39 CET 2023
Hello,
Here is my setup:
* I have a primary key, which I keep in a secure location.
* from this primary key I created many subkeys, one for each of my
tool (laptop, cellphone, server, etc.)
* I also have a yubikey, which hold one of my secret subkey.
On my laptop I have only 2 secret subkeys available:
* a "local" one (on my keyring, on my disk), using rsa4096
* the one on my yubikey (only when my yubikey is plugged), using rsa2048
I use password-store as a password manager.
All my password/files are encrypted with all my private subkey
(reminder: all subkeys are derived from the same primary key).
So when I try to decrypt one of my password-store password (when I try
to `--decrypt` on of the `~/.password-store/…` files), gnupg can use
either my "local" subkey or the "yubikey" one.
When I was using gnupg 2.2.41 the first subkey that was tried is the yubikey one.
I think it was because it's was the first subkey of the list used when I --encrypt
the password/files.
Which is what I prefer (because the "local" one is protected by a much longer
password).
On gnupg 2.4.3 the fist subkey tried is the "local" one.
I think that it's because the "local" subkey is rsa4096, which is more secure
than rsa2048 (the yubikey subkey).
I would like gnupg to try the yubikey subkey first.
(I would like the "local" subkey to be tried only when the yubikey isn't plugged).
I found --personal-cipher-preferences, --personal-digest-preferences and
--personal-compress-preferences but as both subkeys are RSA… it doesn't help.
Is it possible ?
Is there an option I missed ?
What do you suggest ?
Do you need more informations ?
--
Thank you in advance
Regards
More information about the Gnupg-users
mailing list