Can preferred order of decryption keys be specified?

Werner Koch wk at
Mon Oct 16 09:56:21 CEST 2023

On Sat, 14 Oct 2023 12:06, Martin Jambor said:

> Is there a way to specify a preferred decryption key (that is different
> from the default signing key)?

Although we meanwhile have a way to set preferences for ssh keys [1] we
don't have this for decryption keys.  :-(

> Incidentally, does anybody know how to convince emacs EasyPG to pass
> --no-throw-keyids to GPG? :-)

Elisp is easy to modify ;-).  One other idea: Replace the throw-keyid in
gpg.conf by

--8<---------------cut here---------------start------------->8---
[getenv no_throw_keyid NO_THROW_KEYID]
[if $no_throw_keyid -z ]
--8<---------------cut here---------------end--------------->8---

and then have Emacs to set the NO_THROW_KEYID envvar to 1 or so.



[1] In the respective .key file you may put this name/value:
*** Use-for-ssh
If given and the value is "yes" or "1" the key is allowed for use by
gpg-agent's ssh-agent implementation.  This is thus the same as
putting the keygrip into the 'sshcontrol' file.  Only one such item
should exist.  If another non-zero value between 1 and 99999 is used,
this is taken to establish the order in which the keys are returned to
ssh; lower numbers are returned first.  If a negative value is used
this overrides currently active (inserted) cards and thus allows to
prefer on-disk keys over inserted cards.  A value of -1 has the
highest priority; values are capped at -999 and have a lower priority
but still above the positive values, inserted cards or the order in

The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list