(also helpful for Debian 9 and Ubuntu 16.04 and later)
$ gpg --version
gpg (GnuPG) 1.4.20
$ gpg2 --version
gpg (GnuPG) 2.1.11
There is no password caching in this setup with gpg 1.4 in both symmetrical and asymmetrical modes
$ gpg -c test.txt
$ gpg test.txt.gpg
and immediate repetition invokes pass-phrase prompt:
$ gpg test.txt.gpg
$ gpg -e test2.txt
$ gpg test2.txt.gpg
$ gpg test2.txt.gpg
It is not so in case of gpg 2.1
$ gpg2 -c test.txt
$ gpg2 test.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test.txt.gpg
$ gpg2 -e test2.txt
$ gpg2 test2.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test2.txt.gpg
So, you can set gnupg-agent in such a way:
1. install gnupg-agent (if not installed)
sudo apt install gnupg-agent
2. uncomment (if necessarily) in ~/.gnupg/gpg.conf line
use-agent
3. Create the file ~/.gnupg/gpg-agent.conf
For 1 minutes time limit populate it with lines
default-cache-ttl 60
max-cache-ttl 120
4. Restart your session (Cntr+Alt+Backspace)
or execute in terminal:
gpg-connect-agent reloadagent /bye
Additionally, to strengthen algo you can add to ~/.gnupg/gpg.conf these lines:
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
For Linux Mint 17.x
It seems that there is no pass-phrase caching if GnuPG 2.x is not installed.
If gpg2 is installed, and there is unwanted pass-phrase caching:
dconf-editor:
sudo apt-get install dconf-editor
dconf-editor
- scroll down in the left part of dconf-editor window to desktop -> gnome -> crypto -> cache.
change gpg-cache-method to timeout
change gpg-cache-ttl to the number of seconds the passphrase to be cached, for eg, 60
terminal:
double-check it with dconf-editor again (probably, there is inconsistency between applications and dconf and gconf):
sudo gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'
sudo gsettings set org.gnome.crypto.cache gpg-cache-ttl 60
- install gnupg-agent (if not installed)
- uncomment or insert (if necessarily) in ~/.gnupg/gpg.conf line
- create file ~/.gnupg/gpg-agent.conf and populate it with lines (for 1 minute time limit):
sudo echo RELOADAGENT | gpg-agent
gpg-agent --default-cache-ttl 60
gpg-agent --max-cache-ttl 120
sudo echo RELOADAGENT | gpg-agent
Reboot your system.
Please note that the suggested above methods are related to GPG-keys. Pass-phrases for SSH-keys should be maintained separately.
It is important to understand that caching of gpg passwords till the end of session is a somewhat dubious practice and opens a possibility of a security issue.
No comments:
Post a Comment