I'm using gnupg 2.1.2. Usually it is quite handy when gnupg caches my passwords. But for some sensitive programs I would prefer that gnupg does not cache them with gpg-agent. I searched a good while on the internet but did not find a lot of useful information. How can I tell gnupg that I do not want a passphrase for a specific program cached?
Here is an example. I'm using Mutt as my MUA and I encrypt my passwords for all my accounts in a separate file under ~/.mutt/.passwd.gpg. In my ~/.muttrc I set
source "/usr/bin/gpg -d --quiet ~/.mutt/.passwd.gpg |"
When I start Mutt for the first time I will be asked for my private key password by gpg. When I have entered it this password will be cached for some time by gpg. Hence, when I start Mutt again in this interval I am not prompted for my private key password anymore. This means anyone with access to my computer during this time could read my mail or even send mail. How can I tell gpg (e.g. by passing an option to gpg although the man-page does not show any related flag) to prompt for my private key password every time I start Mutt (or any other specific program)? I realize it may not even be possible as gpg is probably unaware of which program tries to access an encrypted file. But I'd like to have this confirmed by our great community.
Best Answer
The documentation for gpg-agent says "gpg-agent uses an environment variable to inform clients about the communication parameters". It doesn't give the actual environment variable name, but some testing indicates that the relevant variable is
GPG_AGENT_INFO. I would suggest changing your mutt config to the following:A perhaps simpler solution would be to pass
--no-use-agentto gpg.Note that this doesn't prevent an attacker from calling
gpgwith the agent enabled, if your credentials have been cached (perhaps because you let gpg-agent cache them from outside of Mutt). So, even if gpg-agent knew to discriminate againstmuttspecifically, it wouldn't be a very strong security measure.