You can use the --default-cache-ttl
option to set how long to keep an entry around:
eval $(gpg-agent --default-cache-ttl 300)
will cache for five minutes. You can also set this in your gpg-agent.conf
file:
default-cache-ttl 300
The default is ten minutes (600 seconds). These timeouts will be reset when you use the key. max-cache-ttl
sets the upper limit before reentering the passphrase.
Gpg-agent is a program that runs in the background (a daemon) and stores GPG secret keys in memory. When a GPG process needs the key, it contacts the running gpg-agent program through a socket and requests the key. If the agent process has the key, it provides it to gpg. If it doesn't, it attempts to load the encrypted key from your keyring, and prompts you for the key's passphrase. Once the agent has obtained the decrypted key, it passes it to the gpg process. In addition to GPG keys, Gpg-agent can similarly store SSH keys and provide them to SSH processes, like the ssh-agent
program that comes with SSH.
The main point of using a key agent is so that you don't have to type your passphrase every single time you use your key. The agent keeps the key in memory from one time to the next. GPG itself can't do that because the process terminates once it's done its job.
Another thing that a key agent can do is allow GPG running on a remote machine to obtain keys in the local agent (which may load them from a local file and prompt for your passphrase). Gpg-agent can't do this yet, it is a planned feature. SSH has had agent forwarding for a very long time. (This is a reason not to use gpg-agent for SSH keys.)
GPG 1.x or 2.0.x knows that the agent is running because the GPG_AGENT_INFO
variable is set. This variable contains the location of the socket to communicate with the agent as well as the process ID of the agent. GPG 2.1 always places the agent socket in ~/.gnupg
. GPG 2.x always starts an agent process if one isn't running.
You can start the agent simply by running gpg-agent
. If you want to keep an agent process as part of your session, you can replace the invocation of your session manager by gpg-agent my-session-manager
; some distributions set this up automatically. GPG will automatically start the agent, and GPG 2.1 will additionally find a running agent without needing an environment variable, so you don't need to start it this way unless you use an older version of GPG or you use the agent to store other types of keys such as SSH.
You can send the agent commands with the gpg-connect-agent
shell command. Send the kill
command to kill the agent process (or send it a signal).
Gpg-agent ships with GPG itself. Some distributions package it separately.
Best Answer
Looking at the versions reveals the problem:
The components come from different packages (
gnupg2-2.1.7-1.fc22.x86_64
andgnupg-1.4.19-2.fc22.x86_64
in my case). The solution is to use thegpg2
command instead ofgpg
.