5

I'm using gnupg 2.1.2. Usually it is quite handy when gnupg caches my passwords. But for some sensitive programs I would prefer that gnupg does not cache them with gpg-agent. I searched a good while on the internet but did not find a lot of useful information. How can I tell gnupg that I do not want a passphrase for a specific program cached?

Here is an example. I'm using Mutt as my MUA and I encrypt my passwords for all my accounts in a separate file under ~/.mutt/.passwd.gpg. In my ~/.muttrc I set

source "/usr/bin/gpg -d --quiet ~/.mutt/.passwd.gpg |"

When I start Mutt for the first time I will be asked for my private key password by gpg. When I have entered it this password will be cached for some time by gpg. Hence, when I start Mutt again in this interval I am not prompted for my private key password anymore. This means anyone with access to my computer during this time could read my mail or even send mail. How can I tell gpg (e.g. by passing an option to gpg although the man-page does not show any related flag) to prompt for my private key password every time I start Mutt (or any other specific program)? I realize it may not even be possible as gpg is probably unaware of which program tries to access an encrypted file. But I'd like to have this confirmed by our great community.

Improve this question
1
  • Perhaps I misunderstood your question; as soon as you are using gpg-agent, an attacker taking control of your keyboard can use your GPG credentials... Wouldn't you be better of with gpg-agent uninstalled if this is a concern? Commented Mar 31, 2015 at 14:44

3 Answers 3

Reset to default
2

This might not be very elegant, but to me, it works. Just kill the daemon immediately after using gpg:

killall gpg-agent

(yeah, f**k it!)

It will restart automatically next time it is invoked by gpg or any other program. And by using it this way, the default time passwords are cached will not change (you may not want the same behavior for other programs).

Improve this answer
1

The documentation for gpg-agent says "gpg-agent uses an environment variable to inform clients about the communication parameters". It doesn't give the actual environment variable name, but some testing indicates that the relevant variable is GPG_AGENT_INFO. I would suggest changing your mutt config to the following:

source "unset GPG_AGENT_INFO; /usr/bin/gpg -d --quiet ~/.mutt/.passwd.gpg |"

A perhaps simpler solution would be to pass --no-use-agent to gpg.

Note that this doesn't prevent an attacker from calling gpg with the agent enabled, if your credentials have been cached (perhaps because you let gpg-agent cache them from outside of Mutt). So, even if gpg-agent knew to discriminate against mutt specifically, it wouldn't be a very strong security measure.

Improve this answer
4
  • 2
    Thanks. The Problem is that gnupg >= 2.1 does neither obey --no-use-agent nor GPG_AGENT_INFO. At least according to the man-page: "GPG_AGENT_INFO This variable was used by GnuPG versions before 2.1"; "--no-use-agent This is dummy option. gpg2 always requires the agent.". Commented Mar 31, 2015 at 15:12
  • 1
    Ahhh. Right, gpg-agent isn't optional with GnuPG 2.1. Perhaps configuring it with a low value of --default-cache-ttl and friends would be good enough? The default appears to be 10 minutes. Commented Mar 31, 2015 at 15:43
  • 2
    Yeah, I set default-cache-ttl 0 in gpg-agent.conf. However, this will affect all programs. Commented Apr 1, 2015 at 7:17
  • --no-use-agent is deprecated. no effect. Commented Dec 14, 2022 at 12:18
0

Restart the agent with 1 second cache interval for example, almost like no cache

pkill gpg-agent && gpg-agent --default-cache-ttl 1 --use-standard-socket --daemon

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.