On Fri, 9 Feb 2018 14:25, ambre...@gmail.com said: > this time the SSH key is obviously encrypted with the same passphrase as > my GPG key, since it's part of it. Any clue why gpg-agent keeps asking?
gpg (or correct gpg-agent) can't know which passphrase is used for each key or subkey. Passphrases are cached on a per subkey base and thus you will see a passphrase query for each new subkey. You may now wonder why this does not happen when you decrypt a mail, reply to it and sign the reply. Two subkeys (or the primary and the encryption subkey) are involved in this workflow. Because this is so common, gpg-agent knows about it and tries the last passphrase used for any of the the subkeys of a key. It does not do this for an authentication subkey, though. Thus you have to enter it again for ssh. Note that we can't do trial decryption using several remembered passphrases because that would take noticeably long for the user. For security reasons each passphrase decryption takes about 100ms. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupgemail@example.com http://lists.gnupg.org/mailman/listinfo/gnupg-users