12

I want to work with gpg-encrypted files using Emacs, and would like to be able to enter the passphrase for each encrypted file only once per Emacs session.

I used to be able to do this by setting the variable epa-file-cache-passphrase-for-symmetric-encryption to t, but this no longer works. The explanation can be found in the last line of the documentation for the variable epa-file-cache-passphrase-for-symmetric-encryption:

(defcustom epa-file-cache-passphrase-for-symmetric-encryption nil
  "If non-nil, cache passphrase for symmetric encryption.

For security reasons, this option is turned off by default and
not recommended to use.  Instead, consider using gpg-agent which
does the same job in a safer way.  See Info node `(epa) Caching
Passphrases' for more information.

Note that this option has no effect if you use GnuPG 2.0."
  :type 'boolean
  :group 'epa-file)

After a recent system update, the gpg in my system is now version 2.1.8, which renders epa-file-cache-passphrase-for-symmetric-encryption ineffective.

The references mentioned in the documentation above lead to a page that just tells you, again, to use gpg-agent, but says nothing about how to do it. I have not been able to find clear instructions on how to set up gpg-agent for the use-case I described at the beginning of this post. Any help would be appreciated.

FWIW, ps tells me that /usr/bin/gpg-agent --supervised is indeed running. What else must I do to get it to cache the passphrases I enter when working with *.gpg files?

Also, the value of my epg-gpg-program variable is /usr/bin/gpg, which refers to the installed version 2.1.8 instance of gpg mentioned earlier.

The versions of Emacs I am using are 26.0.50 and 27.0.50. For both cases, the version of the epa package is 23.1.

kjo
  • 3,145
  • 14
  • 42
  • You can use the `pinentry` package per [this answer](https://unix.stackexchange.com/questions/55638/can-emacs-use-gpg-agent-in-a-terminal-at-all/278875#278875): – Felipe Lema Oct 05 '18 at 14:09
  • @FelipeLema: For me, using pinentry changed, that the passwords are saved for decryption when opening the file, but I still have to enter them twice for encryption while saving. :-( – Weidenrinde Feb 28 '19 at 13:44

1 Answers1

5

https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options

In this documentation, the options you might be interested in

  • default-cache-ttl n, Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset. To set an entry’s maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds.
  • max-cache-ttl n Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).

you could set this in the config file ~/.gnupg/gpg-agent.conf

eg: default-cache-ttl 86400

Seems gpg-agent doesn't support caching passwords for entire session

junnu
  • 770
  • 3
  • 12
  • Thanks, but this does not work for me. Even after reconfiguring (with long cache times) and restarting `gpg-agent`, I still get prompted for my passphrase (*twice*) every time I try to save a `*.gpg` file. – kjo Oct 11 '18 at 22:52
  • could you confirm whether the caching works when decrypting in terminal? – junnu Oct 12 '18 at 14:26
  • Caching works when *decrypting*, both from within Emacs and from the terminal. The problem arises when I try to *save* a `*.gpg` file (after making some changes to it). Then I *always* get prompted for my passphrase, *twice*. (Incidentally, this is relatively new behavior. It used to be the case that caching worked both for decrypting and encrypting from Emacs.) Likewise, caching does not work when I try to encrypt stuff with `--symmetric` from the terminal. – kjo Oct 14 '18 at 00:28
  • I am reluctant to award the bounty here, since your answer did not solve my problem, and, in any case, it was not as detailed as I expected. – kjo Oct 15 '18 at 11:39
  • okay.. no issues.. i didn't find any documentation mentioning gpg-agent for using the cached password for symmetric encryption.. and here https://www.reddit.com/r/emacs/comments/5skzsu/does_password_caching_for_symmetric_encryption/ it is mentioned that "GnuPG 2 is intentionally (by its developers and by the EPA/EPG developer) not supporting caching passphrases. Install GnuPG 1. It's not related to the Emacs version." but no manual reference mentioned here.. if possible you could try other solutions which might involve caching from emacs side.. – junnu Oct 15 '18 at 14:40
  • 1
    At first I thought this was a nice security feature, having to enter the passphrase twice when saving, but in retrospect, I think it's a bad and dangerous design of GnuPG. I wouldn't mind having to re-enter the passphrase once upon saving, as a check that that passphrase would match the one used to decrypt the file in the first place. The current situation allows a security loophole: if someone accesses a computer where an encrypted file has been decrypted and is available for editing, that person could now modify it and encrypt it with a different passphrase. – armando.sano Sep 02 '19 at 10:56