Am 06.04.20 um 01:15 schrieb Nathan Lilienthal: > I was hoping to have a way to reliably configure which GPG ID it > prompts me about first, since I would like to have a PIN activated > smartcard first (if plugged in), then fall back to another on device > key, with a longer password.
Hi, could you perhaps set a passphrase on the GPG key you use to encrypt your files? You can then configure GPG to always ask for the passphrase instead of caching it, see "--default-cache-ttl": https://www.gnu.org/software/emacs/manual/html_node/pgg/Caching-passphrase.html Or, but perhaps not exactly the workflow that you described: you can encrypt your .gpg pass files using a private key that is stored on a smartcard (such as a Yubikey). From now on you will need the smardcard to be plugged into your computer to decrypt files. You can configure the smartcard to have a PIN. The first time you will try to decrypt a file, you will be prompted for this PIN and the passphrase you might have set for the GPG key. By default the Yubikey asks for a PIN only the first time after being plugged. If you remove it and plug it again you will be prompted for the PIN again. Maybe it can be configured to ask for the PIN everytime, if this is your usecase. Clearly, the smartcard will now be essential to decrypt your files. If you lose it or forget the passphrase, you can throw away all your encrypted pass files. If you need a generic PIN prompt from a smartcard but you don't want to store the GPG private key on it, I think you might need another authentication layer behind pass (a sort of "login" auth system). Hope this helps, Regards
