Hello, Here is my setup: * I have a primary key, which I keep in a secure location. * from this primary key I created many subkeys, one for each of my tool (laptop, cellphone, server, etc.) * I also have a yubikey, which hold one of my secret subkey.
On my laptop I have only 2 secret subkeys available: * a "local" one (on my keyring, on my disk), using rsa4096 * the one on my yubikey (only when my yubikey is plugged), using rsa2048 I use password-store as a password manager. All my password/files are encrypted with all my private subkey (reminder: all subkeys are derived from the same primary key). So when I try to decrypt one of my password-store password (when I try to `--decrypt` on of the `~/.password-store/…` files), gnupg can use either my "local" subkey or the "yubikey" one. When I was using gnupg 2.2.41 the first subkey that was tried is the yubikey one. I think it was because it's was the first subkey of the list used when I --encrypt the password/files. Which is what I prefer (because the "local" one is protected by a much longer password). On gnupg 2.4.3 the fist subkey tried is the "local" one. I think that it's because the "local" subkey is rsa4096, which is more secure than rsa2048 (the yubikey subkey). I would like gnupg to try the yubikey subkey first. (I would like the "local" subkey to be tried only when the yubikey isn't plugged). I found --personal-cipher-preferences, --personal-digest-preferences and --personal-compress-preferences but as both subkeys are RSA… it doesn't help. Is it possible ? Is there an option I missed ? What do you suggest ? Do you need more informations ? -- Thank you in advance Regards _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
