Keep GnuPG credentials cached for entire user session

Question

GnuPG can, with gpg-agent, cache access to a private key. How can I keep that cache active for the entire user session?

When I unlock the key for gpg-agent, it only stays cached for a limited time. With SSH's agent, I enter the passphrase one time and it stays cached for the whole session. I want the same behaviour from gpg-agent.

So, ssh-agent doesn't suffer from a limited cache lifetime. But gpg-agent limits the cache lifetime, at least by default. How can I eliminate the limit on cache time from gpg-agent?

score 195 · Accepted Answer · edited May 12 '22 at 05:27

The user configuration (in ~/.gnupg/gpg-agent.conf) can only define the default and maximum caching duration; it can't be disabled.

The default-cache-ttl option sets the timeout (in seconds) after the last GnuPG activity (so it resets if you use it), the max-cache-ttl option set the timespan (in seconds) it caches after entering your password. The default value is 600 seconds (10 minutes) for default-cache-ttl and 7200 seconds (2 hours) for max-cache-ttl.

Set it to a year or so – say, 34560000 seconds (400 days) – and you should be fine:

GnuPG 2.1 and above

In GnuPG 2.1 and above, the maximum-cache-ttl option was renamed to max-cache-ttl without further changes.

default-cache-ttl 34560000
max-cache-ttl 34560000

GnuPG 2 and below

default-cache-ttl 34560000
maximum-cache-ttl 34560000

Restart the agent

But for this change to take effect, you need to end the session by restarting gpg-agent.

gpgconf --kill gpg-agent
gpg-agent --daemon --use-standard-socket

If you want to limit to your session length, you'd need to kill the daemon at logout. This is very different between operating systems, so I'm referring to another question/answer containing hints for different systems.

You could also restart the gpg-agent during login, but this does not limit caching time to the session length, but logins of a user. Decide yourself if this is a problem in your case.

score 41 · Answer 2 · edited Sep 21 '24 at 15:51

For Windows

The file you need to edit should be placed at: ~\.gnupg\

If you run that in a PowerShell window it will open: C:\Users\<UserName>\.gnupg

Just put the gpg-agent.conf file there with whatever values you like.

You can verify it worked by running:

gpgconf.exe --reload gpg-agent
gpgconf.exe --list-options gpg-agent

You can also use this one liner to set the timeout to one day:

Set-Content -Path ~\.gnupg\gpg-agent.conf -Value "default-cache-ttl 86400$([System.Environment]::NewLine)max-cache-ttl 86400"

Older Versions Of GPG

In older versions, the file was at: $env:AppData\gnupg (C:\Users\<UserName>\AppData\Roaming\gnupg)

So if you can't find it at ~\.gnupg\gpg-agent.conf, look there.

score 20 · Answer 3 · answered May 19 '19 at 11:43

20

Make sure to reload your gpg agent with gpg-connect-agent reloadagent /bye after changing the config.

answered May 19 '19 at 11:43

SuperSandro2000

300

score 4 · Answer 4 · edited Sep 21 '24 at 15:53

Since your problem is you need more or unlimited cache time for passphrase, then you can use gpg-preset-passphrase to cache your gpg password, and you will have unlimited cache time until the agent is restarted / reloaded. Read the documentation here:

gpg-preset-passphrase:

Passphrases set with this utility don’t expire unless the --forget option is used to explicitly clear them from the cache — or gpg-agent is either restarted or reloaded (by sending a SIGHUP to it). Note that the maximum cache time as set with --max-cache-ttl is still honored.

It is necessary to allow this passphrase presetting by starting gpg-agent with the --allow-preset-passphrase.

Documentation

Here's an example showing how to cache the passphrase using the gpg-preset-passphrase utility in bash:

#!/bin/bash
GPG_PRESET_PASS="/usr/libexec/gpg-preset-passphrase"
KEY_GRIP=$(gpg --with-keygrip --list-secret-keys $KEY_ID | grep -Pom1 '^ *Keygrip += +\K.*')
read -s -p "[$script_name]: Enter passphrase to cache into gpg-agent: " PASSPHRASE; echo $GPG_PRESET_PASS -c $KEY_GRIP <<< $PASSPHRASE
RETVAL=$?
if [ $RETVAL = 0 ]; then
    echo "OK"
else
    echo "NOT OK"
fi

score -1 · Answer 5 · answered May 03 '24 at 09:56

no chance on debian 11

gpg-preset-passphrase: caching passphrase failed: not supported

bin $ cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"