I'm seeking to cache passphrases for use on an unattended machine. As doing this poses some risk, I'd prefer choosing which passphrases get cached and avoid setting both default-cache-ttl
and max-cache-ttl
to obnoxiously high values as well as avoid needing to clear gpg-agent
's entire cache periodically – hence I'm looking for a solution with gpg-preset-passphrase
. Some of the information I found while troubleshooting refer to older versions of GnuPG so I'm unsure if I have sufficiently accounted for all the differences.
First, as prescribed by man 1 gpg-agent
, I have export GPG_TTY=$(tty)
in my .bashrc.
Now suppose I run eval $(gpg-agent --daemon --allow-preset-passphrase --default-cache-ttl 1 --max-cache-ttl 31536000)
to start gpg-agent, noting that gpg-preset-passphrase still honors –max-cache-ttl (default 2 hours).
I then get the keygrip $KEYGRIP
of the desired secret subkey with gpg --with-keygrip -K
.
With that I try /path/to/gpg-preset-passphrase -c $KEYGRIP
. Upon hitting return, this prints:
gpg-preset-passphrase: caching passphrase failed: Not implemented
Attempting again adding --verbose --debug 6 --log-file /path/to/gpg-agent.log
to gpg-agent
, my log is appended with
gpg-agent[4206] listening on socket /run/user/1000/gnupg/S.gpg-agent
gpg-agent[4207] gpg-agent (GnuPG) 2.1.15 started
gpg-agent[4207] handler 0x7f86ef783700 for fd 5 started
gpg-agent[4207] command PRESET_PASSPHRASE failed: Not implemented
gpg-agent[4207] handler 0x7f86ef783700 for fd 5 terminated
I'm unsure where to proceed from this apart from diving deeper into the source, so I'm wondering if anyone can first correct the steps I'm taking.
Best Answer
It sounds like you want to send the passphrase to
gpg-preset-passphrase
over stdin, without echoing it (to avoid exposing it in process list):If you care about portability outside of bash:
This answer about "Here Documents" syntax (EOF) was invaluable to me: https://unix.stackexchange.com/a/88492
You also need
allow-preset-passphrase
in your~/.gnupg/gpg-agent.conf
as mentioned by holms.If you're looking to do this with symmetric encryption (since I already lost my sanity to this, maybe you won't have to), see my answer here w.r.t. finding the right keygrip/cacheid to use to preset the passphrase in gpg-agent: https://superuser.com/a/1485486/1093343