Clearing cached passphrases using GPG 2.1 and later
The problem is that after encrypting the file, the passphrase doesn't get deleted immediately. gpg-agent caches keys by default for a certain amount of time (up to two hours, with a ten minute inactivity timeout). So anyone who has access to the PC can decrypt the file without knowing a passphrase.
gpg --version
gpg (GnuPG) 2.2.8
Example (for symmetric encryption):
Create some file file_in. Encrypt it with GPG from the terminal with the following command:
gpg --output file_enc --symmetric --cipher-algo AES256 file_in
or
gpg -o file_enc -c file_in
Enter the decryption command right after (up to 10 minutes):
gpg --output file_in_2 --decrypt file_enc
or
gpg -o file_in_2 -d file_enc
And it will decrypt the file automatically without asking for the passphrase.
To change the defaults, create or edit a file
~/.gnupg/gpg-agent.conf
For one minute inactivity timeout and 10 minutes maximum, enter in it:
default-cache-ttl 60
max-cache-ttl 600
Then reload the configuration (try gpgconf --kill gpg-agent).
default-cache-ttl - Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset.
max-cache-ttl - Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently. The default is 2 hours (7200 seconds)
One-time solution: Right after the encryption execute command:
gpgconf --kill gpg-agent
Test:
date && sleep 60 && gpg -o file_in_copy -d file_enc && date
Just check if a passphrase was asked after 60 seconds of inactivity.
No comments:
Post a Comment