129

GnuPG can, with gpg-agent, cache access to a private key. How can I keep that cache active for the entire user session?

When I unlock the key for gpg-agent, it only stays cached for a limited time. With SSH's agent, I enter the passphrase one time and it stays cached for the whole session. I want the same behaviour from gpg-agent.

So, ssh-agent doesn't suffer from a limited cache lifetime. But gpg-agent limits the cache lifetime, at least by default. How can I eliminate the limit on cache time from gpg-agent?

bignose
  • 3,037
  • 3
  • 22
  • 26

4 Answers4

168

The user configuration (in ~/.gnupg/gpg-agent.conf) can only define the default and maximum caching duration; it can't be disabled.

The default-cache-ttl option sets the timeout (in seconds) after the last GnuPG activity (so it resets if you use it), the max-cache-ttl option set the timespan (in seconds) it caches after entering your password. The default value is 600 seconds (10 minutes) for default-cache-ttl and 7200 seconds (2 hours) for max-cache-ttl.

Set it to a year or so – say, 34560000 seconds (400 days) – and you should be fine:

GnuPG 2.1 and above

In GnuPG 2.1 and above, the maximum-cache-ttl option was renamed to max-cache-ttl without further changes.

default-cache-ttl 34560000
max-cache-ttl 34560000

GnuPG 2 and below

default-cache-ttl 34560000
maximum-cache-ttl 34560000

Restart the agent

But for this change to take effect, you need to end the session by restarting gpg-agent.

gpgconf --kill gpg-agent
gpg-agent --daemon --use-standard-socket

If you want to limit to your session length, you'd need to kill the daemon at logout. This is very different between operating systems, so I'm referring to another question/answer containing hints for different systems.

You could also restart the gpg-agent during login, but this does not limit caching time to the session length, but logins of a user. Decide yourself if this is a problem in your case.

SomeGuyOnAComputer
  • 537
  • 1
  • 5
  • 12
Jens Erat
  • 17,507
  • 14
  • 61
  • 74
  • 1
    Is this a “you can't do what you're asking” response? It's not clear, since you're talking about limiting the session length or limiting caching time. I want exactly the opposite of that: no arbitrary limit on the cache time or session length. – bignose Jul 29 '13 at 00:58
  • Kind of that, you can only workaround by setting a rather huge ttl. Set it to a year or so and you should be fine - but need to end the session by restarting `gpg-agent`. – Jens Erat Jul 29 '13 at 08:12
  • 2
    Please note that in latests versions (at least gnupg 2.1), the `maximum-cache-ttl` option doesn't exist. To see the correct options, see the official documentation: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options – Pablo Olmos de Aguilera C. Dec 27 '14 at 19:12
  • 5
    At least in GnuPG 2.1 the default for `default-cache-ttl` is 600 seconds (10 minutes), not two hours. – jlh Oct 03 '17 at 09:30
  • @jlh Looking at the man pages for different versions of `gpg-agent`, the correct value seems to be 10 minutes for all releases. I edited the answer, thank you for pointing this out. – Jens Erat Oct 05 '17 at 10:32
  • 2
    What can the reason be that my GPG4Win asks every 10 minutes even that my settings are set to the samples above? `max-cache-ttl 34560000` – Benjamin Abt Dec 17 '18 at 17:34
  • This sounds like you used the wrong file for setting up the value. I'm sorry I'm not deep enough into Windows to immediately being able to tell you how to best debug this, but I'd start with setting the `log-file` option -- if nothing is logged to that file, you're indeed probably using the wrong file. – Jens Erat Dec 17 '18 at 21:54
  • @Ben I think I found the answer to this. You have to put the `gpg-agent.conf` file at `$env:AppData\gnupg` I did this and it all seems to be working the way I want... – CubanX Apr 23 '19 at 14:00
  • @CubanX already have this, but this wont work for me... – Benjamin Abt Apr 24 '19 at 11:30
  • Ugh, sorry @Ben. It has worked for everyone that has tried it in our office... I wonder what is different about your set up? – CubanX Apr 30 '19 at 14:15
  • 1
    I think this should use "max-cache-ttl", since the "maximum-cache-ttl" option does not exists (in gnupg 2.1). I'd fix this as a typo, but I'm not sure if it maybe does exist in other versions? – Matthijs Kooijman Aug 30 '20 at 18:33
  • 1
    Found it helpful to know how to check `gpg-agent` has picked up my config changes `gpgconf --list-options gpg-agent | grep cache-ttl`. Restarting the agent `gpgconf --kill gpg-agent` – mmrobins Jan 07 '22 at 04:35
  • ```gpg-agent[34573]: WARNING: "--use-standard-socket" is an obsolete option - it has no effect gpg-agent[34574]: gpg-agent (GnuPG) 2.3.6 started``` – Karl Morrison May 25 '22 at 13:52
  • Really? they did a breaking change so that they could change the name of the config option from "maximum" to "max"? – nroose Feb 14 '23 at 17:01
36

For Windows

The file you need to edit should be placed at: ~\.gnupg\

If you run that in a PowerShell window it will open: C:\Users\<UserName>\.gnupg

Just put the gpg-agent.conf file there with whatever values you like.

You can verify it took by running:

  1. gpgconf.exe --reload gpg-agent
  2. gpgconf.exe --list-options gpg-agent

You can also use this one liner: Set-Content -Path ~\.gnupg\gpg-agent.conf -Value "default-cache-ttl 86400$([System.Environment]::NewLine)max-cache-ttl 86400"

Older Versions Of GPG

In older versions, the file was at: $env:AppData\gnupg (C:\Users\<UserName>\AppData\Roaming\gnupg)

So if you can't find it at ~\.gnupg\gpg-agent.conf look there.

CubanX
  • 481
  • 4
  • 6
  • If a second answer here isn't appropriate we can move this to it's own question, tagged with Windows. Not sure what's right :) – CubanX Apr 23 '19 at 14:12
  • Thanks and keep it here - good to have all info in one place. – barfuin Jun 13 '19 at 16:57
  • 2
    Thanks very much. In my case, I had to move this file to it `~/.gnupg/gpg-agent.conf` only then it worked. I didn't have GnuPG folder inside `AppData`, might help someone else. – Saravanabalagi Ramachandran Apr 17 '20 at 21:44
18

Make sure to reload your gpg agent with gpg-connect-agent reloadagent /bye after changing the config.

SuperSandro2000
  • 280
  • 2
  • 7
  • 1
    I'm not sure if this is a comment or answer. Weird that it got upvote. It's not related to what the OP is asking. OP wants to have longer cache time for passphrase. – MaXi32 Sep 16 '20 at 15:39
  • 1
    It is more like a comment but I couldn't write those when I wrote this answer. Also no matter how you change your config, you need to reload the agent or nothing changes. – SuperSandro2000 Sep 18 '20 at 11:44
3

Since your problem is you need more or unlimited cache time for passphrase, then you can use gpg-preset-passphrase to cache your gpg password, and you will have unlimited cache time until the agent is restarted / reloaded. Read the documentation here:

gpg-preset-passphrase:

Passphrases set with this utility don’t expire unless the --forget option is used to explicitly clear them from the cache — or gpg-agent is either restarted or reloaded (by sending a SIGHUP to it). Note that the maximum cache time as set with --max-cache-ttl is still honored. It is necessary to allow this passphrase presetting by starting gpg-agent with the --allow-preset-passphrase.

Documentation

Example how to cache password using gpg-preset-passphrase utility in bash:

#!/bin/bash
GPG_PRESET_PASS="/usr/libexec/gpg-preset-passphrase"
KEY_GRIP=$(gpg --with-keygrip --list-secret-keys $KEY_ID | grep -Pom1 '^ *Keygrip += +\K.*')
read -s -p "[$script_name]: Enter passphrase to cache into gpg-agent: " PASSPHRASE; echo
$GPG_PRESET_PASS -c $KEY_GRIP <<< $PASSPHRASE
RETVAL=$?
if [ $RETVAL = 0 ]; then
    echo "OK"
else
    echo "NOT OK"
fi
MaXi32
  • 178
  • 6
  • grep (2.5.1-FreeBSD) on MacOS (darwin19.6.0) doesn't support -P/--perl-regexp but perl does: `perl -lne 'print,$found++,exit if s/^ *Keygrip += +//; END {exit !defined $found}'` – Kim Taylor Dec 31 '21 at 16:41