11
2
I am using gpg-agent 2.0.17 with gpg 1.4.11 on ubuntu 12.04 and the Enigmail Addon for Thunderbird. When opening an encrypted email, Enigmail invokes gpg-agent with the associated pinentry program and asks for the password. I then have the option to set the lifetime for the cached password, usually set to end of the session.
Since I rarely shutdown or logout of my session, I would like to force gpg-agent to forget all cached passwords upon locking the session. I've searched for a way to do so and the man-page of gpg-agent states, that a -SIGHUP will flush all passwords - however, contrary to the manpage, the cached passwords are not forgotten.
Any ideas on how to force gpg-agent to forget the passwords?
2I tried this and unfortunately
gpgconf --reload gpg-agent
does not makegpg-agent
to forget passwords. – None – 2015-09-29T14:34:52.633@Bruno: It works for me with various versions of gnupg 2.0.* and 2.1.*. You may have to do some debugging to ensure your invocation of gpgconf is talking to the gpg-agent being used to store your password. Beware of agent interposers such as gnome-keyring-daemon - I suspect that does not work with gpgconf. – Juan – 2015-09-30T16:29:47.523
@Bruno: try this: kill all instances of gpg-agent; run
gpg-agent --daemon sh; echo yadamo > /tmp/foo ; gpg --symmetric --output /tmp/foo.encrypted /tmp/foo
(you will be prompted for a passphrase to encrypt the file). At that point /tmp/test.encrypted should be an encrypted file that can only be unencrypted with the passphrase you specified. If you then rungpg --decrypt /tmp/foo.encrypted
, you should get "yadamo". Then rungpgconf --reload gpg-agent
and try the decrypt again. You should be prompted for the passphrase that has now been forced to be forgotten by the agent. – Juan – 2015-09-30T16:36:08.520@Bruno: Basically, I believe
gpgconf --reload gpg-agent
tries to send SIGHUP to the gpg-agent PID (just as if you usedkill -HUP <pid>
orkill -1 <pid>
). If gpgconf can't deliver SIGHUP to the agent for whatever reason (e.g., can't find the right PID) or the "agent" is not really gpg-agent and doesn't know that SIGHUP means to unload cached secrets, then the gpgconf reload won't work. If you figure out what's going on in your case, let us know. – Juan – 2015-09-30T16:46:21.387