Ubuntu – gnome-keyring/pinentry gpg key password saved indefinitely after ubuntu 15.10 upgrade

After upgrading to ubuntu 15.10, the password prompt for gpg keys has changed to a program called pinentry. The pinentry prompt provides a text field for the passphrase, as well as a checkbox for "Save in password manager".

If I do not check the checkbox to "Save in password manager", then I will be prompted for my password every time I want to use my gpg key to decrypt something, which is annoying.

If I do check the checkbox, then pinentry/gnome-keyring saves my password indefinitely (across reboots), which is unacceptable from a security perspective.

Once saved, I can remove the gpg password by going to the "Keys and Passwords" gnome gui app and removing it under "Login", but I'd rather not have to remember do this manually.

In gsettings, the value of the key desktop.gnome.crypto.cache.gpg-cache-method is already set to session, but this doesn't seem to have any effect.

Does anyone know how to make gnome-keyring or pinentry only save gpg password for the current login session?

Best Answer

You can control the gpg-agent's password caching behavior with ~/.gnupg/gpg-agent.conf. The relevant gpg-agent options are default-cache-ttl (max idle time in seconds) and max-cache-ttl (max time before expiry even if under active use.) The format is simply option_name option_value. E.g.

# This is a comment
default-cache-ttl 600
max-cache-ttl 7200

Once edited, you can force reload of the configuration with gpgconf --reload gpg-agent.

Caveat lector: tested on 16.04, not 15.10.

Best Answer

Related Solutions

Ubuntu – How to get gnome-keyring-daemon to prompt for ssh-key password in the terminal instead of the GUI

GPG-Agent – Fix Enigmail Stopped Working After Ubuntu 15.10 Upgrade

Related Question