Hello,
I was wondering if gpg-agent on your system keeps the keys unlocked for the session.
My experience is that it doesn't. According to the documentation, the passphrase cache would be removed in 2 hours [1].
I am using gpg encrypted KWallet and according to KWallet's upstream developer the passphrase remains cached on his system for the session. Please see the bug report for more information [2].
My only guess is that his distribution might be making choice on his behalf.
How does your Fedora box behave? Are you asked to re-enter gpg passphrase after sometime? Or does it tend to keep cache for the session?
[1] https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-O... [2] https://bugs.kde.org/show_bug.cgi?id=336955
On 07/16/14 00:43, Sudhir Khanger wrote:
Hello,
I was wondering if gpg-agent on your system keeps the keys unlocked for the session.
My experience is that it doesn't. According to the documentation, the passphrase cache would be removed in 2 hours [1].
I am using gpg encrypted KWallet and according to KWallet's upstream developer the passphrase remains cached on his system for the session. Please see the bug report for more information [2].
My only guess is that his distribution might be making choice on his behalf.
How does your Fedora box behave? Are you asked to re-enter gpg passphrase after sometime? Or does it tend to keep cache for the session?
I wonder if you're not talking about 2 different things.....
First, when it comes to gpg-agent, I believe the cache time for the passphrase is determined by --default-cache-ttl which defaults to 600 seconds. This can be changed on a per-user basis in the ~/.gnupg/gpg-agent.conf file.
Then, when it comes to kwallet, it can be configured to "Close Wallet" based on 3 criteria. I have mine simply set to "Close when last application stops using it" and I never get prompted again during a login session.
On Wed, Jul 16, 2014 at 8:57 AM, Ed Greshko ed.greshko@greshko.com wrote:
First, when it comes to gpg-agent, I believe the cache time for the passphrase is determined by --default-cache-ttl which defaults to 600 seconds. This can be changed on a per-user basis in the ~/.gnupg/gpg-agent.conf file.
You are right. If we are only talking about gpg-agent keeping cache then it will inevitably expire in maximum 2 hours. Those are the default settings even if you don't set ~/.gnupg/gpg-agent.conf.
--default-cache-ttl n: Set the time a cache entry is valid to n seconds. The default is 600 seconds. --max-cache-ttl n: Set the maximum time a cache entry is valid to n seconds. The default is 2 hours (7200 seconds).
Then, when it comes to kwallet, it can be configured to "Close Wallet" based on 3 criteria. I have mine simply set to "Close when last application stops using it" and I never get prompted again during a login session.
In a gpg-encrypted kwallet, as along as gpg-agent can keep gpg key unlocked, it can unlock the kwallet right away even if it locks itself. Does that make sense.
On 07/16/14 12:06, Sudhir Khanger wrote:
Then, when it comes to kwallet, it can be configured to "Close Wallet" based on 3 criteria. I have mine simply set to "Close when last application stops using it" and I never get prompted again during a login session.
In a gpg-encrypted kwallet, as along as gpg-agent can keep gpg key unlocked, it can unlock the kwallet right away even if it locks itself. Does that make sense.
That would be true, and make sense *if* the wallet were being closed and opened again. But that is not the case with the setting and the way I use it. Once opened, it never closes until not longer being used. So, even after 2 hours the wallet remains opened and no passphrase is needed/used to keep it open. It remains unlocked.
On Wed, Jul 16, 2014 at 10:57 AM, Ed Greshko ed.greshko@greshko.com wrote:
But that is not the case with the setting and the way I use it.
Are you using gpg-encrypted or the bluefish-algorithm-encrypted kwallet?
Things will be pretty swifty once pam-kwallet along with 4.13 come to stable repositories. KDM will be able to also unlock kwallet once per session, no more constantly having to enter the password. But automating it would mean losing the comfort of security. Anyways.
On 07/16/14 17:13, Sudhir Khanger wrote:
On Wed, Jul 16, 2014 at 10:57 AM, Ed Greshko ed.greshko@greshko.com wrote:
But that is not the case with the setting and the way I use it.
Are you using gpg-encrypted or the bluefish-algorithm-encrypted kwallet?
Using gpg-encrypted.
Things will be pretty swifty once pam-kwallet along with 4.13 come to stable repositories. KDM will be able to also unlock kwallet once per session, no more constantly having to enter the password. But automating it would mean losing the comfort of security. Anyways.
Everything is fine for me now. As I mentioned. I am never prompted for my passphrase from kwallet.
I am prompted, and expect to be prompted, when doing things such as signing this email as that is done via the gpg-agent.
-
Ed Greshko -
Sudhir Khanger