[Feature Request] multiple files sélection in addition to password and "no file" agent

Tue Jun 9 10:11:21 CEST 2026

Hi,

since password requirements are getting worst each year, soon it will be 
impossible to remember one (and more if you try to use something that 
you can remember) I'm waiting for the update of 
https://www.hivesystems.com/blog/are-your-passwords-in-the-green?utm_source=tabletext 
to see new requirements.

More due to IA hype, computing power will increase (and if not pure 
computing power of a single system, there will be several system to make 
parallel work)

Even I find it more and more problematic, so not speaking of my mother....

I use veracrypt for long now, as well as keepassXC. What I love is the 
ability to use a file in addition to the password, this solve the issue 
of strengh really fine, just have to remember a file or 2 or more 
(sadely only one file for keepassXC) and it compute a password based on 
the file content (didn't looked the code, but doing a sha256 hash will 
produce a 64 [A-Z][a-z][0-9] password, that is purely random, so no dict 
attack, and surely strength that won't allow even brute force parallel 
attack)

this require lite knowledge to remember and every file can be used, just 
peak your favorite familly photo, vacation photo, song, a video... 
anything as long you won't modify it.... easy....

so I would like to use the same for my GPG keys... (and ssh keys)

some ideas :  allow in pinentry to enter a password, select multiple 
files.... for each entry, compute a hash of the content, apply 
deciphering in recurse (decipher one time with the first hash, then 
decipher the result with the second...)

this would not even allow to know if the password provided was truly 
guessed : the result is still random bytes, so you can't know you truly 
guessed the password, so even a weak password could become strong (I'm 
right?)

another thing that bother me is the storage of private keys... ok they 
are protected, armored... but they are still on disk... I still use ssh 
agent because of this : keepassXC can store the private key and feed it 
to the ssh agent without temporary file (pure memory transfert)

for gpg, I use a veracrypt container to store the keys and mount it, 
hopefully gpg-agent do detect that new files are available and parse 
them. BUT veracrypt don't allow to "timeout mount / screenlock unmount" 
so, if I forget to unmount it, the files are accessible the time I 
notice that I forgot...

and last, there is feature I like in veracrypt : the possibility to give 
a false information, imagine my familly was kidnapped, I'm asked to send 
a authenticated email to someone in my firm, so that it perform some 
action... I have to choose... familly? work?... and so disclose the 
unlock information.

what I would love, is the veracrypt threat security mechanism : 2 
private keys in the same key file, if I provide one password/file I get 
the 1rst key, if I provide another I get the second key. This could 
allow to disclose "I'm under threat" information without anyone knowing 
it, I just choose the key, provide the "I'm under threat" information to 
the person, write the requested message, encrypt it, sign it, send it, 
and on the other end, the receiver see the message... and see that I'm 
under threat, can take appropriate action...

for some sensitive firm, this is unvaluable information... and the 
threatener can't know what I've done... everything is fine, having 2 
keyfiles is an option, but a clever person can see that I've 2 
identities and can take unknown consequences actions.

thanks and regards
JL