Friday, July 27, 2018

Clearing GnuPG 2.1 Cached Passphrases in Ubuntu 18.04, Linux Mint 19, Debian 9 and 10


Clearing cached passphrases using GPG  2.1 and later


The problem is that after encrypting the file, the passphrase doesn't get deleted immediately. gpg-agent caches keys by default for a certain amount of time (up to two hours, with a ten minute inactivity timeout). So anyone who has access to the PC can decrypt the file without knowing a passphrase.


gpg --version
gpg (GnuPG) 2.2.8

Example (for symmetric encryption):
Create some file file_in. Encrypt it with GPG from the terminal with the following command:

gpg --output file_enc --symmetric --cipher-algo AES256 file_in
or
gpg -o file_enc -c file_in

Enter the decryption command right after (up to 10 minutes):
gpg --output file_in_2 --decrypt file_enc
or
gpg -o file_in_2 -d file_enc

And it will decrypt the file automatically without asking for the passphrase.

To change the defaults, create or edit a file
~/.gnupg/gpg-agent.conf
For one minute inactivity timeout and 10 minutes maximum, enter in it:

default-cache-ttl 60
max-cache-ttl 600

Then reload the configuration (try gpgconf --kill gpg-agent).

default-cache-ttl - Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset.
max-cache-ttl - Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently. The default is 2 hours (7200 seconds)

One-time solution: Right after the encryption execute command:
gpgconf --kill gpg-agent

Test:
date && sleep 60 && gpg -o file_in_copy -d file_enc && date
Just check if a passphrase was asked after 60 seconds of inactivity.