45

I've some stuff encrypted with GnuPG using gpg -e. When I decrypt them, the system does not ask for the passphrase, it decrypts it straight away.

Does it store the secret key somewhere and uses it (I also stored my secret key in the GnuPG key chain, does it uses that)?

How can I force the system to ask the passphrase every time?

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
EsseTi
  • 643
  • 1
  • 5
  • 8
  • 9
    This irritating behaviour may also occur when using `--symmetric` / `-c`, which doesn't use any keys from the keyring. The accepted answer also works for that case. – fbmd Jan 14 '17 at 11:29
  • Related: https://unix.stackexchange.com/questions/395875/gpg-does-not-ask-for-password – Gabriel Staples Oct 09 '19 at 07:45
  • To force it to ask for the passphrase just when you want it to, for testing, do this: To force it to ask for a passphrase, do this: https://unix.stackexchange.com/a/543856/114401 – Gabriel Staples Oct 09 '19 at 08:08

4 Answers4

46

Does it store the secret key somewhere and uses it (I also stored my secret key in the GnuPG key chain, does it uses that)?

GnuPG only uses keys from your key chain, so it must be in there to use it.

How can I force the system to ask the passphrase every time?

Old versions of GnuPG uses the gpg-agent, which caches the passphrase for a given time. Use the option --no-use-agent or add a line no-use-agent to ~/.gnupg/gpg.conf to prevent using the agent.

For newer versions (v2.1+), disable password caching for the agent by creating ~/.gnupg/gpg-agent.conf and adding the following lines: 

default-cache-ttl 1
max-cache-ttl 1

Restart the agent with:

echo RELOADAGENT | gpg-connect-agent
Steve Bond
  • 103
  • 4
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • 11
    Note that for gpg2 "--no-use-agent" is an obsolete option - it has no effect. – 10 cls Nov 19 '16 at 17:36
  • To be more specific, it is obsolete for GnuPG 2.1 (and newer). – Jens Erat Nov 30 '16 at 18:17
  • 5
    `0` seems to mean no caching at all, as it correctly asks for passphrase even immediately after encrypting. I just wanted to add that [the correct way to reload gpg-agent](http://superuser.com/a/521027/281818) would be `echo RELOADAGENT | gpg-connect-agent` – Jeffrey Lebowski Jan 10 '17 at 13:01
  • 10
    It might be noteworthy that `gpg-agent` also caches passphrases used with `gpg --symmetric`, which allows anyone with access to the shell / `gpg-agent`-session to decrypt the file *without* entering the passphrase. – fbmd Jan 14 '17 at 11:33
  • what should one do in gpg2 ? – EsseTi Jul 27 '18 at 11:40
  • @EsseTi to achieve what outcome? `max-cache-tl 0` should still be valid with any recent GnuPG version. – Jens Erat Jul 27 '18 at 21:27
  • Just to be clear, `~/.gnupg/gpg-agent.conf` probably needs to be created. – Steve Bond Aug 13 '18 at 15:31
  • Is there a way to do this for all users, for the newer gpg? – Brōtsyorfuzthrāx Aug 24 '18 at 06:31
  • 1
    GnuPG does not read a system-wide configuration file, so you need to roll out the configuration for all existing users and create it when creating new users (skeleton folder on Linux, don't know how to do so in Windows). – Jens Erat Aug 24 '18 at 06:37
  • I only know of the "set cache period to 1sec" method already described in the answer. – Jens Erat Jul 30 '19 at 07:15
  • I use GPG suite on macos, and setting these options has no effect. Neither `gpg -s` nor `pass` (which allegedly uses gpg) prompt for a password. – oarfish Oct 13 '19 at 11:50
11

GnuPG 2.2.15

  --symmetric
          -c  Encrypt with a symmetric cipher using a passphrase. The default sym-
          metric cipher used is AES-128, but may be chosen with the  --cipher-algo
          option.  This command may be combined with --sign (for a signed and sym-
          metrically encrypted message), --encrypt (for  a  message  that  may  be
          decrypted  via  a  secret  key or a passphrase), or --sign and --encrypt
          together (for a signed message that may be decrypted via a secret key or
          a  passphrase).  gpg caches the passphrase used for symmetric encryption
          so that a decrypt operation may not require that the user needs to enter
          the  passphrase.   The  option  --no-symkey-cache can be used to disable
          this feature.

# encrypt files
gpg -c --no-symkey-cache file.txt
# decrypt files
gpg --no-symkey-cache file.txt.gpg

with --no-symkey-cache option, it will not cache your password

anonymous
  • 211
  • 2
  • 5
  • 1
    This works, but if I switch to another user, like root, it doesn't work--I get the error "gpg: problem with the agent: Permission denied" BUT there is a solution, "pinentry mode" `gpg --pinentry-mode=loopback test.gpg` https://askubuntu.com/a/1158297/429995 – PJ Brunet Apr 26 '20 at 08:03
  • 1
    Although the man page doesn't mention it, you also need --no-symkey-cache when decrypting, as shown in this example. – ARX Oct 10 '20 at 17:04
4

Encrypting a "test" file should give us test.gpg

# gpg -c test

But no, we get some errors.

gpg: problem with the agent: Permission denied
gpg: error creating passphrase: Operation cancelled
gpg: symmetric encryption of 'test' failed: Operation cancelled

Loopback mode to the rescue! 

# gpg -c --pinentry-mode=loopback test

It prompts for your password and works as expected.

When it comes time to decrypt, maybe you change users and get an error:

gpg: problem with the agent: Permission denied

Loopback mode to the rescue! 

# gpg --pinentry-mode=loopback test.gpg

Tested with...

gpg (GnuPG) 2.2.20
libgcrypt 1.8.5

IMO --pinentry-mode=loopback and --no-symkey-cache should be the default settings. I found the solution here https://askubuntu.com/a/1158297/429995 and the "anonymous" answer here (to not cache the password) was helpful as well.

PJ Brunet
  • 151
  • 4
0

For gpg version 2.2.4 the following work using symmetric and adding --batch to the gpg command:

Therefore, to clear the password stored in the session, we can run:

echo RELOADAGENT | gpg-connect-agent

More info in this tutorial: https://www.baeldung.com/linux/encrypt-decrypt-files

schroeder
  • 123,438
  • 55
  • 284
  • 319
K F
  • 101
  • 1