GPG ID Set Outside of `.gpg-id`?

password-store at password-store at
Mon Apr 6 09:06:16 CEST 2020

Am 06.04.20 um 01:15 schrieb Nathan Lilienthal:
> I was hoping to have a way to reliably configure which GPG ID it
> prompts me about first, since I would like to have a PIN activated
> smartcard first (if plugged in), then fall back to another on device
> key, with a longer password.


could you perhaps set a passphrase on the GPG key you use to encrypt
your files? You can then configure GPG to always ask for the passphrase
instead of caching it, see "--default-cache-ttl":

Or, but perhaps not exactly the workflow that you described:

you can encrypt your .gpg pass files using a private key that is stored
on a smartcard (such as a Yubikey). From now on you will need the
smardcard to be plugged into your computer to decrypt files.

You can configure the smartcard to have a PIN. The first time you will
try to decrypt a file, you will be prompted for this PIN and the
passphrase you might have set for the GPG key. By default the Yubikey
asks for a PIN only the first time after being plugged. If you remove it
and plug it again you will be prompted for the PIN again. Maybe it can
be configured to ask for the PIN everytime, if this is your usecase.

Clearly, the smartcard will now be essential to decrypt your files. If
you lose it or forget the passphrase, you can throw away all your
encrypted pass files.

If you need a generic PIN prompt from a smartcard but you don't want to
store the GPG private key on it, I think you might need another
authentication layer behind pass (a sort of "login" auth system).

Hope this helps,


More information about the Password-Store mailing list