Shell – Cache all gpg subkey passwords at once? Prevent need for multiple gpg password entry

gpggpg-agentshell-script

Can I enter my gpg password just once and unlock all my sub keys (signing, decryption, authentication)?

At the moment, I need to enter my gpg password three times (for signing, for decryption, for authentication). This is inconvenient.

I tried to come up with a shell script.

#!/bin/bash
set -x
set -e
set +o history

signing_key=77BB3C48
encryption_key=CE998547

tempfile="$(mktemp)"
echo "test" > testfile

unset passphrase || exit 1
read -sp 'Enter password. ' passphrase ; echo

exec 3<<<"$passphrase"

gpg2 --no-tty --use-agent --batch --yes --passphrase-fd 3 --sign-with "$signing_key" --clearsign "$tempfile"
gpg2 --no-tty --use-agent --verify "$tempfile.asc"

gpg2 --no-tty --use-agent --yes --armor --recipient "$encryption_key" --encrypt "$tempfile"

exec 3<<<"$passphrase"
gpg2 --no-tty --use-agent --batch --decrypt --passphrase-fd 3 "$tempfile.asc"

But unfortunately, that way passwords gnupg-agent doesn't cache the password. Can this be fixed?

System information:

When not using that shell script, I have no issues with gnupg-agent. When I manually sign / decrypt a file in shell, pinentry asks for password twice, then caches it until reboot.
Using Debian Wheezy.
gpg version:

dpkg -l | grep gnupg

ii  gnupg                                        1.4.12-7+deb7u3                    i386         GNU privacy guard - a free PGP replacement
ii  gnupg-agent                                  2.0.22-3                           i386         GNU privacy guard - password agent
ii  gnupg-curl                                   1.4.12-7+deb7u3                    i386         GNU privacy guard - a free PGP replacement (cURL)
ii  gnupg2                                       2.0.22-3                           i386         GNU privacy guard - a free PGP replacement (new v2.x)

I've asked on gnupg-users mailing list a while ago, but no reply.

Perhaps this answer would work? Perhaps gpg-connect-agent is required?

Best Answer

There is the gnome-keyring-daemon and seahorse which makes key & password management very easy.

Basically if you're running gnome-keyring-daemon as a gpg agent, it has the ability to unlock your GPG keys automatically. It does this by maintaining a password keyring, which contains the passwords to things like web sites, GPG keys, SSH keys, etc. This password keyring is then secured with it's own password. So you unlock it, and the gnome keyring unlocks everything else.
As an added bonus, gnome-keyring-daemon has a "login" keyring, which if it's password matches your user password, the keyring is automatically unlocked when you log in.

Configuration

How to get this working? Just install gnome-keyring-daemon and seahorse. The package should do all the system configuration for you. Just make sure you're not starting another keyring daemon or GPG agent. Whichever starts last "wins", and the gnome keyring starts in the PAM stack, so extremely early.

If your GPG keys are stored in ~/.gnupg, it will automatically pick them up and act as the GPG agent for them. Same goes for SSH keys stored in ~/.ssh

The first time you try to use the private key, you'll get a dialog that looks like this: (I triggered it by a simple command line gpg -d myfile.gpg) unlock keyring
Just select "Automatically unlock this keyring whenever I'm logged in"

Now we haven't really talked about seahorse. That's because it's not strictly necessary. All this has been done with just the regular gnome-keyring-daemon. However with seahorse you can view and manage all your keys & keyrings. And if you use centralized authentication (LDAP), you'll need to use it when you change your login password to also change the password on the "login" keyring to match it.

seahorse - gpg keys

Other passwords

As alluded to earlier, gnome-keyring-daemon can also store web site passwords. Last time I checked chrome supports this, but firefox does not. However there is one trick to getting it working.
By default you'll have 2 keyrings, a "login" keyring, and a "default" keyring. The "default" keyring is the default (hence the name). But it's a separate keyring, so it doesn't automatically get unlocked. In seahorse, if you right-click the "login" keyring, there's an option to "set as default". Select this and it'll start getting used for passwords. I personally just delete the "default" one and use "login" for everything.

Related Solutions

Shell – gpg asks for password even with –passphrase

I am in your exact same boat (it worked on Fedora but not Ubuntu). Here is an apparent work around I discovered:

echo your_password | gpg --batch --yes --passphrase-fd 0 your_file.gpg

Explanation: Passing 0 causes --passphrase-fd to read from STDIN rather than from a file. So, piping the passphrase will get --passphrase-fd to accept your specified password string.

How to tell gpg that I do not want password caching for a specific program

The documentation for gpg-agent says "gpg-agent uses an environment variable to inform clients about the communication parameters". It doesn't give the actual environment variable name, but some testing indicates that the relevant variable is GPG_AGENT_INFO. I would suggest changing your mutt config to the following:

source "unset GPG_AGENT_INFO; /usr/bin/gpg -d --quiet  ~/.mutt/.passwd.gpg |"

A perhaps simpler solution would be to pass --no-use-agent to gpg.

Note that this doesn't prevent an attacker from calling gpg with the agent enabled, if your credentials have been cached (perhaps because you let gpg-agent cache them from outside of Mutt). So, even if gpg-agent knew to discriminate against mutt specifically, it wouldn't be a very strong security measure.