Can I enter my gpg password just once and unlock all my sub keys (signing, decryption, authentication)?
At the moment, I need to enter my gpg password three times (for signing, for decryption, for authentication). This is inconvenient.
I tried to come up with a shell script.
#!/bin/bash
set -x
set -e
set +o history
signing_key=77BB3C48
encryption_key=CE998547
tempfile="$(mktemp)"
echo "test" > testfile
unset passphrase || exit 1
read -sp 'Enter password. ' passphrase ; echo
exec 3<<<"$passphrase"
gpg2 --no-tty --use-agent --batch --yes --passphrase-fd 3 --sign-with "$signing_key" --clearsign "$tempfile"
gpg2 --no-tty --use-agent --verify "$tempfile.asc"
gpg2 --no-tty --use-agent --yes --armor --recipient "$encryption_key" --encrypt "$tempfile"
exec 3<<<"$passphrase"
gpg2 --no-tty --use-agent --batch --decrypt --passphrase-fd 3 "$tempfile.asc"
But unfortunately, that way passwords gnupg-agent doesn't cache the password. Can this be fixed?
System information:
- When not using that shell script, I have no issues with gnupg-agent. When I manually sign / decrypt a file in shell, pinentry asks for password twice, then caches it until reboot.
- Using Debian Wheezy.
- gpg version:
dpkg -l | grep gnupg
ii gnupg 1.4.12-7+deb7u3 i386 GNU privacy guard - a free PGP replacement
ii gnupg-agent 2.0.22-3 i386 GNU privacy guard - password agent
ii gnupg-curl 1.4.12-7+deb7u3 i386 GNU privacy guard - a free PGP replacement (cURL)
ii gnupg2 2.0.22-3 i386 GNU privacy guard - a free PGP replacement (new v2.x)
I've asked on gnupg-users mailing list a while ago, but no reply.
Perhaps this answer would work? Perhaps gpg-connect-agent
is required?
Best Answer
There is the gnome-keyring-daemon and seahorse which makes key & password management very easy.
Basically if you're running gnome-keyring-daemon as a gpg agent, it has the ability to unlock your GPG keys automatically. It does this by maintaining a password keyring, which contains the passwords to things like web sites, GPG keys, SSH keys, etc. This password keyring is then secured with it's own password. So you unlock it, and the gnome keyring unlocks everything else.
As an added bonus, gnome-keyring-daemon has a "login" keyring, which if it's password matches your user password, the keyring is automatically unlocked when you log in.
Configuration
How to get this working? Just install gnome-keyring-daemon and seahorse. The package should do all the system configuration for you. Just make sure you're not starting another keyring daemon or GPG agent. Whichever starts last "wins", and the gnome keyring starts in the PAM stack, so extremely early.
If your GPG keys are stored in
~/.gnupg
, it will automatically pick them up and act as the GPG agent for them. Same goes for SSH keys stored in~/.ssh
The first time you try to use the private key, you'll get a dialog that looks like this: (I triggered it by a simple command line
gpg -d myfile.gpg
)Just select "Automatically unlock this keyring whenever I'm logged in"
Now we haven't really talked about seahorse. That's because it's not strictly necessary. All this has been done with just the regular gnome-keyring-daemon. However with seahorse you can view and manage all your keys & keyrings. And if you use centralized authentication (LDAP), you'll need to use it when you change your login password to also change the password on the "login" keyring to match it.
Other passwords
As alluded to earlier, gnome-keyring-daemon can also store web site passwords. Last time I checked chrome supports this, but firefox does not. However there is one trick to getting it working.
By default you'll have 2 keyrings, a "login" keyring, and a "default" keyring. The "default" keyring is the default (hence the name). But it's a separate keyring, so it doesn't automatically get unlocked. In seahorse, if you right-click the "login" keyring, there's an option to "set as default". Select this and it'll start getting used for passwords. I personally just delete the "default" one and use "login" for everything.