On Fri,  9 Feb 2018 14:25, ambre...@gmail.com said:

> this time the SSH key is obviously encrypted with the same passphrase as
> my GPG key, since it's part of it.  Any clue why gpg-agent keeps asking?

gpg (or correct gpg-agent) can't know which passphrase is used for each
key or subkey.  Passphrases are cached on a per subkey base and thus you
will see a passphrase query for each new subkey.

You may now wonder why this does not happen when you decrypt a mail,
reply to it and sign the reply.  Two subkeys (or the primary and the
encryption subkey) are involved in this workflow.  Because this is so
common, gpg-agent knows about it and tries the last passphrase used for
any of the the subkeys of a key.  It does not do this for an
authentication subkey, though.  Thus you have to enter it again for ssh.

Note that we can't do trial decryption using several remembered
passphrases because that would take noticeably long for the user.  For
security reasons each passphrase decryption takes about 100ms.


Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

Attachment: pgp1kKEb4AY2L.pgp
Description: PGP signature

Gnupg-users mailing list

Reply via email to