How to make gpg find gpg-agent

gpggpg-agent

On Fedora 22, gpg doesn't find gpg-agent:

% gpg-agent --daemon                                           

% gpg -vvv --use-agent --no-tty --decrypt file.gpg 
gpg: using character set `utf-8'
:pubkey enc packet: version 3, algo 1, keyid 3060B8F7271AFBAF
  data: [4094 bits]
gpg: public key is 271AFBAF
gpg: using subkey 271AFBAF instead of primary key 50EA64D5
gpg: using subkey 271AFBAF instead of primary key 50EA64D5
gpg: gpg-agent is not available in this session
gpg: Sorry, no terminal at all requested - can't get input

Best Answer

Looking at the versions reveals the problem:

% gpg-agent --version
gpg-agent (GnuPG) 2.1.7

% gpg --version                                                               
gpg (GnuPG) 1.4.19

The components come from different packages (gnupg2-2.1.7-1.fc22.x86_64 and gnupg-1.4.19-2.fc22.x86_64 in my case). The solution is to use the gpg2 command instead of gpg.

Related Solutions

How to make gpg-agent forget the passphrase automatically

You can use the --default-cache-ttl option to set how long to keep an entry around:

eval $(gpg-agent --default-cache-ttl 300)

will cache for five minutes. You can also set this in your gpg-agent.conf file:

default-cache-ttl 300

The default is ten minutes (600 seconds). These timeouts will be reset when you use the key. max-cache-ttl sets the upper limit before reentering the passphrase.

How does GPG agent work

Gpg-agent is a program that runs in the background (a daemon) and stores GPG secret keys in memory. When a GPG process needs the key, it contacts the running gpg-agent program through a socket and requests the key. If the agent process has the key, it provides it to gpg. If it doesn't, it attempts to load the encrypted key from your keyring, and prompts you for the key's passphrase. Once the agent has obtained the decrypted key, it passes it to the gpg process. In addition to GPG keys, Gpg-agent can similarly store SSH keys and provide them to SSH processes, like the ssh-agent program that comes with SSH.

The main point of using a key agent is so that you don't have to type your passphrase every single time you use your key. The agent keeps the key in memory from one time to the next. GPG itself can't do that because the process terminates once it's done its job.

Another thing that a key agent can do is allow GPG running on a remote machine to obtain keys in the local agent (which may load them from a local file and prompt for your passphrase). Gpg-agent can't do this yet, it is a planned feature. SSH has had agent forwarding for a very long time. (This is a reason not to use gpg-agent for SSH keys.)

GPG 1.x or 2.0.x knows that the agent is running because the GPG_AGENT_INFO variable is set. This variable contains the location of the socket to communicate with the agent as well as the process ID of the agent. GPG 2.1 always places the agent socket in ~/.gnupg. GPG 2.x always starts an agent process if one isn't running.

You can start the agent simply by running gpg-agent. If you want to keep an agent process as part of your session, you can replace the invocation of your session manager by gpg-agent my-session-manager; some distributions set this up automatically. GPG will automatically start the agent, and GPG 2.1 will additionally find a running agent without needing an environment variable, so you don't need to start it this way unless you use an older version of GPG or you use the agent to store other types of keys such as SSH.

You can send the agent commands with the gpg-connect-agent shell command. Send the kill command to kill the agent process (or send it a signal).

Gpg-agent ships with GPG itself. Some distributions package it separately.

Best Answer

Related Solutions

How to make gpg-agent forget the passphrase automatically

How does GPG agent work

Related Question