2

In short (Edit 1): How to make gpg -qd --pinentry-mode loopback out.gpg cache the passphrase for a period of time in the cli. It used to cache but now it doesn't.

Edit 2: I have tried this thing in both Kubuntu 24.04 Live iso image and a very old live iso image from 2017 called GParted live. In Gparted live iso, --pinentry-mode loopback caches the passphrase but not in Kubuntu live iso.

Edit 3: I have tested in Kubuntu 22.04, 23.10 and 24.04 using https://distrosea.com and gpg --pinentry-mode loopback symmetric decryption does indeed not cache the passphrase except 22.04.

And now the boring details:

In Kubuntu 22.04, I used to use these commands to create an encrypted file from stdin and to decrypt it:

gpg --pinentry-mode loopback --output out.gpg --symmetric - to encrypt

gpg --pinentry-mode loopback -qd out.gpg to decrypt.

While in a terminal session, the decryption command used to ask for the passphrase once for a certain time and I don't remember I did anything to get this behavior.

Now I have upgraded to Kubuntu 24.04 (by fully erasing the disk). But now, the decryption command above always asks for the passphrase in the same terminal session.

If I remove --pinentry-mode loopback, then the pinentry-qt dialog kicks and finally the decryption command stops asking for the passphrase for subsequent decryption commands with --pinentry-mode loopback.

So pinentry-qt correctly caches the passphrase but any subsequent--pinentry-mode loopback command requires a passphrase input with pinentry-qt in order not ask for the passphrase again.

I installed pinentry-tty and set the config in ~/.gnupg/gpg-agent.conf to:

pinentry-program /usr/bin/pinentry-tty

and reloading the agent by:

gpg-connect-agent reloadagent /bye.

This actually solves my problem by decrypting without using --pinentry-mode loopback. But what I want is the old (no config) behavior so I can get rid of updating all my scripts.

Improve this question
1
  • I have the same problem: it worked fine in Kubuntu 22.04 but it doesn't work on Debian 13 trixie/testing. Commented Mar 29 at 13:30

1 Answer 1

Reset to default
0

The gpg-agent(1) manpage (man 1 gpg-agent) states:

OPTIONS Options may either be used on the command line or, after stripping off the two leading dashes, in the configuration file. [...] --default-cache-ttl n Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry's timer is reset. To set an entry's maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not be evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds. [...] --max-cache-ttl n Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).

so, by adding, e.g.

default-cache-ttl 60480000 max-cache-ttl 60480000

to $HOME/.gnupg/gpg-agent.conf and restarting gpg-agent, the cache entries will be kept for 700 days, or a bit less than two years. The cache is cleared when the gpg-agent is restarted, though (which can happen, for example, on reboot).

Improve this answer
6
  • As the man page says: 'The default is 600 seconds'. gpg -qd --pinentry-mode loopback out.gpg always asks for the passphrase even within that default time period. Note that this is symmetric key encryption not public/private keys based. If I use public/private keys, then it caches the passphrase with --pinentry-mode loopback correctly. Commented May 22, 2024 at 15:34
  • Have you added the two lines from the answer to your $HOME/.gnupg/gpg-agent.conf and restarted gpg-agent (pkill gpg-agent)? On my system (OpenBSD 7.5, GnuPG 2.4.4), after killing the gpg-agent, the command gpg -d --pinentry-mode loopback file.gpg asks for the passphrase the first time, but each subsequent invocation doesn't ask for the passphrase (ie. it is cached). Commented May 22, 2024 at 15:39
  • I have tried those settings before asking the question but also after your comment. It still doesn't work. Commented May 22, 2024 at 15:48
  • That is strange, since I also tried creating the encrypted file using the gpg --pinentry-mode loopback --symmetric file, and decrypting it with gpg-agent -qd --pinentry-mode loopback file.gpg > file.out and the second command also didn't ask for a password on my system, with the gpg-agent using the above settings in the $HOME/.gnupg/gpg-agent.conf file. Commented May 22, 2024 at 16:16
  • Again, restarting gpg-agent is an important step; it doesn't dynamically reload the settings from the configuration file, but its every instance must be killed for the settings to take effect. Commented May 22, 2024 at 16:23

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.