46

I encrypted one file with gpg -c <file> and closed the terminal. After a while, I tried to decrypt it with gpg <file> and it decrypted it, without asking for a password. Is that normal? How to guarantee that gpg will ask for a password, even in my same computer?

Pierre B
  • 2,213
  • How long was it since you last entered you GnuPG password at that point? The gpg-agent caches it for 10 minutes by default (GnuPG 2.2). – Kusalananda Oct 03 '17 at 15:37
  • Was gpg-agent running? If so it would have cached the credentials (just tested this on my Mac with gpg-agent in memory). – Petro Oct 03 '17 at 15:49

6 Answers6

39

This is normal, gpg now uses gpg-agent to manage private keys, and the agent caches keys for a certain amount of time (up to two hours by default, with a ten minute inactivity timeout).

To change the defaults, create or edit a file named ~/.gnupg/gpg-agent.conf, and use the following entries:

  • default-cache-ttl specifies the amount of time a cache entry is kept after its last use, in seconds (600 by default);
  • max-cache-ttl specifies the maximum amount of time a cache entry is kept, in seconds (7200 by default).

For example:

default-cache-ttl 300
max-cache-ttl 1200

will change these to 300s and 1200s respectively.

After changing these, you’ll need to reload the configuration:

gpgconf --reload all
Stephen Kitt
  • 434,908
19

To make gpg >=2.1 always ask for a passphrase, run it with gpg --pinentry-mode loopback.

To make gpg >=2.2.7 always ask for a passphrase for --symmetric (-c) encryption, run it with gpg --no-symkey-cache.

pts
  • 1,061
  • 14
  • 23
  • 2
    --no-symkey-cache worked, but it's not on the help list of commands. Any idea why? Version is 2.2.19, Ubuntu 20-4. – Evandro Pomatti Jan 03 '22 at 19:36
  • @EvandroPomatti it is displayed via the man command underneath the --symmetric option, as mentioned by @anonymous – ajmeese7 Jun 12 '22 at 17:23
7

GnuPG 2.2.15

  --symmetric
          -c  Encrypt with a symmetric cipher using a passphrase. The default sym-
          metric cipher used is AES-128, but may be chosen with the  --cipher-algo
          option.  This command may be combined with --sign (for a signed and sym-
          metrically encrypted message), --encrypt (for  a  message  that  may  be
          decrypted  via  a  secret  key or a passphrase), or --sign and --encrypt
          together (for a signed message that may be decrypted via a secret key or
          a  passphrase).  gpg caches the passphrase used for symmetric encryption
          so that a decrypt operation may not require that the user needs to enter
          the  passphrase.   The  option  --no-symkey-cache can be used to disable
          this feature.

# encrypt files
gpg -c --no-symkey-cache file.txt
# decrypt files
gpg --no-symkey-cache file.txt.gpg

with --no-symkey-cache option, it will not cache your password

anonymous
  • 187
2

Just adding up... I use this simple function on my .bashrc, so that every time I want to force the password to be prompted again I can easily do so by just running gpg-reload from my terminal instead of waiting for the cache to be automatically cleared: 

 gpg-reload(){
     pkill scdaemon
     pkill gpg-agent
     gpg-connect-agent /bye >/dev/null 2>&1
     gpg-connect-agent updatestartuptty /bye >/dev/null 2>&1
     gpgconf --reload gpg-agent
 }

Hope it helps!

silveiralexf
  • 129
  • 5
  • 1
    It would be better to use gpgconf --kill all in place of those kill -9 calls that you have. It's never a good idea to use kill -9, and if you really need to signal something based on its name, pkill would be a better tool. – Kusalananda Sep 26 '19 at 15:53
  • 1
    was not aware of --kill all option, seems on gpgconf version 2.0.22, which I'm using right now, this option is not available.... Indeed, "kill -9" might be a bit rude... updating the response to use pkill as suggested, since its a better way to handle it :-) thx for the input! – silveiralexf Sep 26 '19 at 18:07
  • 1
    How about just gpg-connect-agent reloadagent /bye? – wisbucky Dec 03 '19 at 01:24
1

Force gpg to forget all cached passwords

How to guarantee that gpg will ask for a password, even in my same computer?

Quick answer:

gpg-connect-agent reloadagent /bye

Details:

If you goal is to just test to ensure that 1) a file is actually password-protected, and 2) you actually know and typed in your password correctly when you protected it, then you can force gpg to forget the cached password and request the decryption password again like this (like @wisbucky said in this comment):

# force gpg to forget your temporarily cached passwords
gpg-connect-agent reloadagent /bye

Then, you can decrypt a file like this, and it will now ask for your password again!:

# decrypt a gpg-encrypted file
gpg myfile.txt.gpg

This assumes that myfile.txt was previously password-encrypted using gpg, like this:

# encrypt myfile.txt into myfile.txt.gpg
gpg -c myfile.txt
Gabriel Staples
  • 2,562
0

Is your private key tied to a password? This is something you set at key creation time.

If not, GPG won't ask for a password, as none is required. It will simply rely on the key you provide.

And if so, should you have entered your password during another operation right before, GPG will not ask for this password again until a few minutes have passed.

Faheem Mitha
  • 35,108
Shlublu
  • 203