Penguin
Recent Changes

Using GPG with an agent

Like SSH, GPG lets you use an agent to cache your PassPhrase in memory for a time, and provide it back to GPG when you would otherwise have to retype it.

On Debian/Ubuntu:

apt-get install gnupg-agent pinentry-curses

pinentry is a program to securely accept your passphrase. There are GTK and QT versions available for X users.

To start the GPG agent, run eval `gpg-agent --daemon` (I keep this in my /.bashrc).

You configure the agent in /.gnupg/gpg-agent.conf. A sample:

default-cache-ttl 3600
pinentry-program /usr/bin/pinentry-curses

This caches the pin for 3600 seconds (1 hour) and uses the curses (text mode) pin entry program.

The first time you run gpg, and would have to enter your passphrase, the pinentry program will pop up and ask for it for you. It will then be cached for the defined TTL, so you won't be asked for it again. This is useful if you're doing anything that does more than one GPG operation, such as running a script to sign two files.

I am not prompted for a passphrase when I should be

You need a passphrase to unlock the secret key for
user: "IT Partners <packages@itpartners.co.nz>"
1024-bit DSA key, ID xxxxxxx, created 2005-04-21

gpg: cancelled by user
gpg: skipped "xxxxxxxx": bad passphrase

Why wasn't I prompted for the passphrase? pinentry-curses needs a TTY, and if you don't have GPG_TTY set, it won't be able to find one if you're running from a script.

GPG_TTY=`tty` in your .bashrc will fix this for you.

Experience getting gpg going with KMail on Kubuntu 7.04

apt-get install gnupg-agent pinentry-qt kgpg gnupg2

pinentry is a program to securely accept your passphrase. The QT version pinentry-qt is suitable for KDE users.

To start the GPG agent, run eval `gpg-agent --daemon --write-env-file` (Keep this in /.bashrc or /.xsession).

This writes a file /.gpg-agent-info and prevents additional gpg-agents starting (I think?). The environment variable GPG_AGENT_INFO get its value from here and this is where KMail figures which gpg-agent to talk with.

You configure the agent in /.gnupg/gpg-agent.conf. A sample:

default-cache-ttl 3600
pinentry-program /usr/bin/pinentry-qt

Configure /.gnupg/gpg.conf to use the gpg-agent you've just got going. Uncomment the option use-agent

If the file does not exist you can use Kgpg to create the file for you. However the file it only include one keyserver. You can add the others to this file.

Configure /.bashrc to include

GPG_TTY=`tty` and export GPG_TTY

Find other pages like me in CategoryNotes