Re: prefered key/subkey for decryption
Hi! On Tue, 5 Dec 2023 00:00, Maxime de Roucy said: > On gnupg 2.4.3 the fist subkey tried is the "local" one. > I think that it's because the "local" subkey is rsa4096, which is more secure > than rsa2048 (the yubikey subkey). No, there is such logic. > I found --personal-cipher-preferences, --personal-digest-preferences and > --personal-compress-preferences but as both subkeys are RSA… it doesn't help. That does not help with decryption. In general this problem shows up if you receive a lot of mails using an anonymous recipients (--throw-keyids) and gpg ask you to insert all your cards one after the ther. We have this TODO item in the code: /* FIXME: The list needs to be sorted so that we try the keys in * an appropriate order. For example: * - On-disk keys w/o protection * - On-disk keys with a cached passphrase * - On-card keys of an active card * - On-disk keys with protection * - On-card keys from cards which are not plugged it. Here a * cancel-all button should stop asking for other cards. * Without any anonymous keys the sorting can be skipped. */ Your use case is very similar and such a sorting would also be helpful. Another way to implement this might be by using a similar thing to what we allow for ssh-keys (see gnupg/agent/keyformat.txt) in the private key files: *** Use-for-ssh If given and the value is "yes" or "1" the key is allowed for use by gpg-agent's ssh-agent implementation. This is thus the same as putting the keygrip into the 'sshcontrol' file. Only one such item should exist. If another non-zero value between 1 and 9 is used, this is taken to establish the order in which the keys are returned to ssh; lower numbers are returned first. If a negative value is used this overrides currently active (inserted) cards and thus allows to prefer on-disk keys over inserted cards. A value of -1 has the highest priority; values are capped at -999 and have a lower priority but still above the positive values, inserted cards or the order in sshcontrol. Sorry, for not having a better answer. > (reminder: all subkeys are derived from the same primary key). Sure that you derived them? What we do is to bind subkeys to a primary key and then the sender selects the latest valid subkey for encryption. Salam-Shalom, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein openpgp-digital-signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
prefered key/subkey for decryption
Hello, Here is my setup: * I have a primary key, which I keep in a secure location. * from this primary key I created many subkeys, one for each of my tool (laptop, cellphone, server, etc.) * I also have a yubikey, which hold one of my secret subkey. On my laptop I have only 2 secret subkeys available: * a "local" one (on my keyring, on my disk), using rsa4096 * the one on my yubikey (only when my yubikey is plugged), using rsa2048 I use password-store as a password manager. All my password/files are encrypted with all my private subkey (reminder: all subkeys are derived from the same primary key). So when I try to decrypt one of my password-store password (when I try to `--decrypt` on of the `~/.password-store/…` files), gnupg can use either my "local" subkey or the "yubikey" one. When I was using gnupg 2.2.41 the first subkey that was tried is the yubikey one. I think it was because it's was the first subkey of the list used when I --encrypt the password/files. Which is what I prefer (because the "local" one is protected by a much longer password). On gnupg 2.4.3 the fist subkey tried is the "local" one. I think that it's because the "local" subkey is rsa4096, which is more secure than rsa2048 (the yubikey subkey). I would like gnupg to try the yubikey subkey first. (I would like the "local" subkey to be tried only when the yubikey isn't plugged). I found --personal-cipher-preferences, --personal-digest-preferences and --personal-compress-preferences but as both subkeys are RSA… it doesn't help. Is it possible ? Is there an option I missed ? What do you suggest ? Do you need more informations ? -- Thank you in advance Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
