Re: [Feature Request] multiple files sélection in addition to password and "no file" agent

[devm23k73ju29h3r at dolce-energy.com]

Le 11/06/2026 à 14:25, Robert J. Hansen via Gnupg-devel a écrit :
>> so the one you used on every website, every ssh key, every gpg key, 
>> that is created with the same pattern you usually use on all password 
>> that leaked on the darknet? that i weak to dictonary attack? (just 
>> because you're human, and human construct itself on patterns it employ)
>
> What? No.
>
> I memorize a 128-bit random sequence for my passphrase manager and use 
> that to store everything else, and each year I print out the contents 
> and drop a copy in my bank safe deposit box.
>
>>> I'm glad you haven't had this experience. As soon as you do and 
>>> discover your encrypted documents are now unreadable, you might 
>>> change your mind.
> >
>> it's 15 year or more that I use this...
>
> When playing Russian roulette, the fact you haven't died yet should 
> not fill you with confidence for the future.

lol, with copies of required files stored in multiple locations and 
duplicated at random place I only know? this is a strange russian 
roulette... what is great with file, is that they don't have to be 
hidden, I don't have to have a single armored file... anything on my 
computer can serve as a key, and the more they are common, the less 
likely it can be guessed... it got corrupted? fine... I've another 
elsewhere... they are just regular files, if you don't know the value, 
it's like having a raw gemstone : it looks like a regular stone, only 
someone that know will make it jewellery

anyway, if I want to play russian roulette, it's my right, no? or do 
you've also the right to say that it's evil and say how user should 
behave for their own good? as long as I choose it for myself, I know the 
consequences, you might find it dangerous, what is next? you'll forbid 
me to climb? do speleology? diving? skitouring? I don't force you to it, 
you're free! I'm not some dictaror or inquisitor of the faith that say 
what is right to think or do...

>
>>> You've invented a primitive key derivation function.
>>>
>>> Why is this better than Argon2 or PBKDF2, are modern, peer-reviewed, 
>>> and successfully deployed key derivation functions?
> >
>> i'm not, i'm just storing something in my brain that I can remember 
>> easely
>
> No, you've literally invented a primitive KDF.
>
> Why use that primitive KDF over PBKDF2 or Argon2?

great, so I invented a way to transform something I know in some 
computer mind reading that is able to derivate something I know into 
something a computer can use... I should put a patent on it "something 
you have in your brain, that a software can use without having you to 
perform actions into a derived cryptographic key"... the information is 
not the file itself... it's just a bunch of bytes... even a regular txt 
file can be used... what is important is not the file, it's HOW I KNOW 
how to use it.

the user can steal my passphrase manager, it's easy : find -type f 
-iname "*.kbdx", but to unlock it it has also to steal all the drive, 
hoping the drive contains the required file to unlock it... and also 
steal every storage I have... and then try all what comes into his 
mind?  did I used just a strong password? how many file did I used? in 
what order? just files or files with a password? do I have stored all 
the required files on the same drive? or did I scattered them on 
multiple storage? did I used a decoy? did I only used a part of a file? 
or multiple files catened together and removed? well good luck!

for me, remembering is easy, I just have some memory of some events, or 
something I like, maybe some pdf i like? or a bd scan? an ebook? maybe 
the file is freely available on the internet? and know the way to use 
them... it's much more easier for me than even remembering s at 0g!A, but 
for someone else? he will never know my life, what memory is used. he 
can hack my computer using a zero day vulnerability... what will he do 
with this? he got my passkey database... and? can he bruteforce it? for 
bruteforce, you need something that is predictable, not something that 
is a bunch of any combination the user can invent. The only way to know 
it is a RAT, but, maybe I also use a fido key to store some secret? 
hahaha...

what produce PBKDF2 or Argon2? they produce something that looks like 
random bytes of a given size, it's easy to know that this file is likely 
a result of a key derivation....