Keep GnuPG credentials cached for entire user session

56

14

GnuPG can, with gpg-agent, cache access to a private key. How can I keep that cache active for the entire user session?

When I unlock the key for gpg-agent, it only stays cached for a limited time. With SSH's agent, I enter the passphrase one time and it stays cached for the whole session. I want the same behaviour from gpg-agent.

So, ssh-agent doesn't suffer from a limited cache lifetime. But gpg-agent limits the cache lifetime, at least by default. How can I eliminate the limit on cache time from gpg-agent?

bignose

Posted 2013-07-26T00:05:17.177

Reputation: 1 981

Answers

76

Up to GnuPG 2

The user configuration (in ~/.gnupg/gpg-agent.conf) can only define the default and maximum caching duration; it can't be disabled.

The default-cache-ttl option sets the timeout (in seconds) after the last GnuPG activity (so it resets if you use it), the maximum-cache-ttl option set the timespan (in seconds) it caches after entering your password. The default value is 600 seconds (10 minutes) for default-cache-ttl and 7200 seconds (2 hours) for maximum-cache-ttl.

Set it to a year or so – say, 34560000 seconds (400 days) – and you should be fine:

default-cache-ttl 34560000
maximum-cache-ttl 34560000

But for this change to take effect, you need to end the session by restarting gpg-agent.

If you want to limit to your session length, you'd need to kill the daemon at logout. This is very different between operating systems, so I'm referring to another question/answer containing hints for different systems.

You could also restart the gpg-agent during login, but this does not limit caching time to the session length, but logins of a user. Decide yourself if this is a problem in your case.

GnuPG 2.1 and above

In GnuPG 2.1 and above, the maximum-cache-ttl option was renamed to max-cache-ttl without further changes.

Jens Erat

Posted 2013-07-26T00:05:17.177

Reputation: 14 141

Please note that in latests versions (at least gnupg 2.1), the maximum-cache-ttl option doesn't exist. To see the correct options, see the official documentation: https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options

– Pablo Olmos de Aguilera C. – 2014-12-27T19:12:47.887

4At least in GnuPG 2.1 the default for default-cache-ttl is 600 seconds (10 minutes), not two hours. – jlh – 2017-10-03T09:30:24.587

@jlh Looking at the man pages for different versions of gpg-agent, the correct value seems to be 10 minutes for all releases. I edited the answer, thank you for pointing this out. – Jens Erat – 2017-10-05T10:32:42.340

1What can the reason be that my GPG4Win asks every 10 minutes even that my settings are set to the samples above? max-cache-ttl 34560000 – Ben – 2018-12-17T17:34:56.940

This sounds like you used the wrong file for setting up the value. I'm sorry I'm not deep enough into Windows to immediately being able to tell you how to best debug this, but I'd start with setting the log-file option -- if nothing is logged to that file, you're indeed probably using the wrong file. – Jens Erat – 2018-12-17T21:54:15.773

@Ben I think I found the answer to this. You have to put the gpg-agent.conf file at $env:AppData\gnupg

I did this and it all seems to be working the way I want... – CubanX – 2019-04-23T14:00:33.770

@CubanX already have this, but this wont work for me... – Ben – 2019-04-24T11:30:29.473

Ugh, sorry @Ben. It has worked for everyone that has tried it in our office...

I wonder what is different about your set up? – CubanX – 2019-04-30T14:15:48.647

Is this a “you can't do what you're asking” response? It's not clear, since you're talking about limiting the session length or limiting caching time. I want exactly the opposite of that: no arbitrary limit on the cache time or session length. – bignose – 2013-07-29T00:58:48.620

Kind of that, you can only workaround by setting a rather huge ttl. Set it to a year or so and you should be fine - but need to end the session by restarting gpg-agent. – Jens Erat – 2013-07-29T08:12:17.240

7

For Windows

The file you need to edit should be placed at: $env:AppData\gnupg

If you run that in a PowerShell window it will open: C:\Users\<UserName>\AppData\Roaming\gnupg

Just put the gpg-agent.conf file there with whatever values you like.

You can verify it took by running:

  1. gpgconf.exe --reload gpg-agent
  2. gpgconf.exe --list-options gpg-agent

You can also use this one liner: Set-Content -Path $env:AppData\gnupg\gpg-agent.conf -Value "default-cache-ttl 86400$([System.Environment]::NewLine)max-cache-ttl 86400"

CubanX

Posted 2013-07-26T00:05:17.177

Reputation: 181

If a second answer here isn't appropriate we can move this to it's own question, tagged with Windows. Not sure what's right :) – CubanX – 2019-04-23T14:12:41.003

Thanks and keep it here - good to have all info in one place. – barfuin – 2019-06-13T16:57:04.257

7

Make sure to reload your gpg agent with gpg-connect-agent reloadagent /bye after changing the config.

SuperSandro2000

Posted 2013-07-26T00:05:17.177

Reputation: 71

Asked: 2013-07-26T00:05:17.177

Viewed: 23 955 times

Active: 2019-05-19T11:43:45.603