Thursday, November 9, 2017

GnuPG: how to prevent pass-phrase caching

For Linux Mint 18.2 where both gpg and gpg2 are present
(also helpful for Debian 9 and Ubuntu 16.04 and later)

$ gpg --version
gpg (GnuPG) 1.4.20

$ gpg2 --version
gpg (GnuPG) 2.1.11

There is no password caching in this setup with gpg 1.4 in both symmetrical and asymmetrical modes
$ gpg -c test.txt
$ gpg test.txt.gpg
and immediate repetition invokes pass-phrase prompt:
$ gpg test.txt.gpg

$ gpg -e test2.txt
$ gpg test2.txt.gpg
$ gpg test2.txt.gpg

It is not so in case of gpg 2.1

$ gpg2 -c test.txt
$ gpg2 test.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test.txt.gpg

$ gpg2 -e test2.txt
$ gpg2 test2.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test2.txt.gpg

So, you can set gnupg-agent in such a way:

1. install gnupg-agent (if not installed)

sudo apt install gnupg-agent

2. uncomment (if necessarily) in ~/.gnupg/gpg.conf line


3. Create the file ~/.gnupg/gpg-agent.conf
For 1 minutes time limit populate it with lines

default-cache-ttl 60
max-cache-ttl 60

4. Restart your session (Cntr+Alt+Backspace)
or execute in terminal:
gpg-connect-agent reloadagent /bye

Additionally, to strengthen algo you can add to ~/.gnupg/gpg.conf these lines:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

For Linux Mint 17.x

It seems that there is no pass-phrase caching if GnuPG2 is not installed - try "Open With Decrypt File" in GUI.

If gpg2 is installed, and there is unwanted pass-phrase caching:


sudo apt-get install dconf-editor

- scroll down in the left part of dconf-editor window to desktop -> gnome -> crypto -> cache.
change gpg-cache-method to timeout
change gpg-cache-ttl to the number of seconds the passphrase to be cached, for eg, 120


double-check it with dconf-editor again (probably, there is inconsistency between applications and dconf and gconf):

sudo gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'
sudo gsettings set org.gnome.crypto.cache gpg-cache-ttl 120

- install gnupg-agent (if not installed)

sudo apt install gnupg-agent

- uncomment or insert (if necessarily) in ~/.gnupg/gpg.conf line


- create file ~/.gnupg/gpg-agent.conf and populate it with lines (for 1 minute time limit):

default-cache-ttl 60
max-cache-ttl 60

sudo echo RELOADAGENT | gpg-agent
gpg-agent --default-cache-ttl 120
gpg-agent --max-cache-ttl 120
sudo echo RELOADAGENT | gpg-agent

Reboot your system.

Please note that the suggested above methods are related to GPG-keys. Pass-phrases for SSH-keys should be maintained separately.
It is important to understand that caching of gpg passwords till the end of session is a somewhat dubious practice and opens a possibility of a security issue.

No comments: