I encrypted one file with gpg -c <file>
and closed the terminal. After a while, I tried to decrypt it with gpg <file>
and it decrypted it, without asking for a password. Is that normal? How to guarantee that gpg will ask for a password, even in my same computer?
6 Answers
This is normal, gpg
now uses gpg-agent
to manage private keys, and the agent caches keys for a certain amount of time (up to two hours by default, with a ten minute inactivity timeout).
To change the defaults, create or edit a file named ~/.gnupg/gpg-agent.conf
, and use the following entries:
default-cache-ttl
specifies the amount of time a cache entry is kept after its last use, in seconds (600 by default);max-cache-ttl
specifies the maximum amount of time a cache entry is kept, in seconds (7200 by default).
For example:
default-cache-ttl 300
max-cache-ttl 1200
will change these to 300s and 1200s respectively.
After changing these, you’ll need to reload the configuration:
gpgconf --reload all

- 434,908
-
If you just want to force
gpg
to forget its cached passwords and ask for a password again when you try to decrypt a file, see my new answer here. – Gabriel Staples Aug 02 '23 at 18:49
To make gpg >=2.1 always ask for a passphrase, run it with gpg --pinentry-mode loopback
.
To make gpg >=2.2.7 always ask for a passphrase for --symmetric
(-c
) encryption, run it with gpg --no-symkey-cache
.

- 1,061
- 14
- 23
-
2
--no-symkey-cache
worked, but it's not on the help list of commands. Any idea why? Version is 2.2.19, Ubuntu 20-4. – Evandro Pomatti Jan 03 '22 at 19:36 -
@EvandroPomatti it is displayed via the
man
command underneath the--symmetric
option, as mentioned by @anonymous – ajmeese7 Jun 12 '22 at 17:23
GnuPG 2.2.15
--symmetric -c Encrypt with a symmetric cipher using a passphrase. The default sym- metric cipher used is AES-128, but may be chosen with the --cipher-algo option. This command may be combined with --sign (for a signed and sym- metrically encrypted message), --encrypt (for a message that may be decrypted via a secret key or a passphrase), or --sign and --encrypt together (for a signed message that may be decrypted via a secret key or a passphrase). gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase. The option --no-symkey-cache can be used to disable this feature.
# encrypt files
gpg -c --no-symkey-cache file.txt
# decrypt files
gpg --no-symkey-cache file.txt.gpg
with --no-symkey-cache option, it will not cache your password

- 187
-
@Kusalananda♦ I think my answer "guarantee that gpg will ask for a password", every time – anonymous Nov 25 '19 at 04:18
-
Apologies, I missed the fact that the user mas doing symmetric encryption. – Kusalananda Nov 25 '19 at 06:02
-
2
-
1This works but
--no-symkey-cache
doesn't show as an option in the help, I'm using 2.2.19. – Evandro Pomatti Jan 03 '22 at 19:38
Just adding up... I use this simple function on my .bashrc
, so that every time I want to force the password to be prompted again I can easily do so by just running gpg-reload
from my terminal instead of waiting for the cache to be automatically cleared:
gpg-reload(){
pkill scdaemon
pkill gpg-agent
gpg-connect-agent /bye >/dev/null 2>&1
gpg-connect-agent updatestartuptty /bye >/dev/null 2>&1
gpgconf --reload gpg-agent
}
Hope it helps!

- 129
- 5
-
1It would be better to use
gpgconf --kill all
in place of thosekill -9
calls that you have. It's never a good idea to usekill -9
, and if you really need to signal something based on its name,pkill
would be a better tool. – Kusalananda Sep 26 '19 at 15:53 -
1was not aware of
--kill all
option, seems on gpgconf version 2.0.22, which I'm using right now, this option is not available.... Indeed, "kill -9" might be a bit rude... updating the response to usepkill
as suggested, since its a better way to handle it :-) thx for the input! – silveiralexf Sep 26 '19 at 18:07 -
1
Force gpg
to forget all cached passwords
How to guarantee that gpg will ask for a password, even in my same computer?
Quick answer:
gpg-connect-agent reloadagent /bye
Details:
If you goal is to just test to ensure that 1) a file is actually password-protected, and 2) you actually know and typed in your password correctly when you protected it, then you can force gpg to forget the cached password and request the decryption password again like this (like @wisbucky said in this comment):
# force gpg to forget your temporarily cached passwords
gpg-connect-agent reloadagent /bye
Then, you can decrypt a file like this, and it will now ask for your password again!:
# decrypt a gpg-encrypted file
gpg myfile.txt.gpg
This assumes that myfile.txt
was previously password-encrypted using gpg
, like this:
# encrypt myfile.txt into myfile.txt.gpg
gpg -c myfile.txt

- 2,562
Is your private key tied to a password? This is something you set at key creation time.
If not, GPG won't ask for a password, as none is required. It will simply rely on the key you provide.
And if so, should you have entered your password during another operation right before, GPG will not ask for this password again until a few minutes have passed.

- 35,108

- 203
gpg-agent
caches it for 10 minutes by default (GnuPG 2.2). – Kusalananda Oct 03 '17 at 15:37