GPG sub-keys

Wiktor Kwapisiewicz wiktor at
Tue Jan 4 12:29:48 UTC 2022

On 4.01.2022 13:04, Jan Christian Grünhage wrote:
> Because if they're all to be treated the same, you can just use
> the primary key ID and pass should still just use the encryption
> sub-keys available for that PGP key.

Nope, GnuPG will use just one single valid, most recent encryption 
subkey and completely disregard all others. For the record this part is 
actually not specified in the OpenPGP spec and other implementations 
(such as Sequoia PGP or OpenKeychain) do it differently, and - in my 
opinion - better: they encrypt to all valid encryption subkeys.

GnuPG actually makes it worse because using subkey fingerprint will not 
use that fingerprint but rather use the following logic:
   - if the fingerprint is for subkey look go to primary key,
   - if you want encryption subkey from primary find the most recent 
encryption subkey.

The workaround is, as Grégoire mentioned, to append "!" to the 
fingerprint. That will force it to use that exact specific key.

Kind regards,

More information about the Password-Store mailing list