I'm using gnupg 2.1.2
. Usually it is quite handy when gnupg
caches my passwords. But for some sensitive programs I would prefer that gnupg
does not cache them with gpg-agent
. I searched a good while on the internet but did not find a lot of useful information. How can I tell gnupg
that I do not want a passphrase for a specific program cached?
Here is an example. I'm using Mutt
as my MUA and I encrypt my passwords for all my accounts in a separate file under ~/.mutt/.passwd.gpg
. In my ~/.muttrc
I set
source "/usr/bin/gpg -d --quiet ~/.mutt/.passwd.gpg |"
When I start Mutt
for the first time I will be asked for my private key password by gpg
. When I have entered it this password will be cached for some time by gpg
. Hence, when I start Mutt
again in this interval I am not prompted for my private key password anymore. This means anyone with access to my computer during this time could read my mail or even send mail. How can I tell gpg
(e.g. by passing an option to gpg
although the man
-page does not show any related flag) to prompt for my private key password every time I start Mutt
(or any other specific program)? I realize it may not even be possible as gpg
is probably unaware of which program tries to access an encrypted file. But I'd like to have this confirmed by our great community.
Best Answer
The documentation for gpg-agent says "gpg-agent uses an environment variable to inform clients about the communication parameters". It doesn't give the actual environment variable name, but some testing indicates that the relevant variable is
GPG_AGENT_INFO
. I would suggest changing your mutt config to the following:A perhaps simpler solution would be to pass
--no-use-agent
to gpg.Note that this doesn't prevent an attacker from calling
gpg
with the agent enabled, if your credentials have been cached (perhaps because you let gpg-agent cache them from outside of Mutt). So, even if gpg-agent knew to discriminate againstmutt
specifically, it wouldn't be a very strong security measure.