Gnu Privacy Guard Agent (GPG)

Posted by chris on Tue 28 Mar 2006 at 08:00

After going through the article on Gnu Privacy Guard (GPG) you've got gpg up and running. But - every time you need to encrypt, decrypt or sign, you need to enter your passphrase.

Wouldn't it be nice to have something similar to how ssh-agent handles ssh passphrases for you?

Well - you have - introducing gpg-agent!

gpg-agent is an application that can run as a daemon and remember your passphrase for you.

The best way to use it is to configure it to start at X login so that it is valid for any X apps/terminals on your desktop.

Configuration is straightforward once it has been installed:

apt-get install gnupg-agent pinentry-gtk

First - we need to tell gpg to use it

Edit the GPG configuration file ~/.gnupg/gpg.conf to either uncomment or add the line:

use-agent

Now - create a new file ~/.gnupg/gpg-agent.conf

Mine looks like:

pinentry-program /usr/bin/pinentry-x11
no-grab
default-cache-ttl 1800

Here the pinentry-program specifies which program should be invoked to receive your passphrase the first time. There are several packages and programs available, which you can see by running:

skx@itchy:~$ apt-cache search ^pinentry
pinentry-curses - curses-based PIN or pass-phrase entry dialog for GnuPG
pinentry-doc - documentation for pinentry packages
pinentry-gtk - GTK+-based PIN or pass-phrase entry dialog for GnuPG
pinentry-gtk2 - GTK+-2-based PIN or pass-phrase entry dialog for GnuPG
pinentry-qt - Qt-based PIN or pass-phrase entry dialog for GnuPG

Here we've installed the gtk variant, the curses version will work nicely for console access.

You can set your preferred ones using Debian's alternatives mechanism - but - I always use this under X - so I just linked directly to the x11 binary.

Now - we can test it - open a terminal - and then run:

eval "$(gpg-agent --daemon)"

This will set some environment variables. You can now try any gpg command that requires a passphrase - and gpg-agent will handle the passphrase request.

If things work the first time you run a command which would prompt for your GPG passphrase the pinentry variant we chose will be invoked to receive it, subsequent requests will proceed using the cached copy in memory.

Finally - to add this to start when you login to X - add the line to .xsession

eval "$(gpg-agent --daemon)"

KDE/Gnome users - you'll need to add this somewhere - rumours have reached me that you can try editing startkde or startgnome - but I don't really know. Hopefully some kind soul will add a comment to this article with the required info :)

Restart x and all should now be working.

If you use enigmail for thunderbird - don't forget to go into the preferences and check off for "Use gpg-agent" :)

 

 


Posted by Anonymous (86.53.xx.xx) on Tue 28 Mar 2006 at 09:14
Good tip... gpg-agent is like ssh-agent.... it makes the whole thing a lot easier to use on a day-to-day basis.

You can use keychain to manage both gpg and ssh passwords/passphrases (it's just a set of scripts that manage ssh-agent and gpg-agent nicely).

Under KDE, I just have:

$HOME/.kde/env/keychain:

keychain ~/.ssh/id_dsa
. ~/.keychain/${HOSTNAME}-sh
. ~/.keychain/${HOSTNAME}-sh-gpg


(as of KDE 3.3-ish, you can put shell scripts in $HOME/.kde/env to have environment variables sourced for your entire KDE session, better than mucking with your .xsession)


With keychain picking up your passphrases as you need them, you can add the following to your .bash_profile to make sure that any console sessions also pick it up:

. ~/.keychain/${HOSTNAME}-sh
. ~/.keychain/${HOSTNAME}-sh-gpg


[ Parent | Reply to this comment ]

Posted by Anonymous (81.225.xx.xx) on Tue 28 Mar 2006 at 10:34
Keychain is also great when you have cronjobs and such that need to use your keys. You can just have your scripts or whatever source the .keychain files.

[ Parent | Reply to this comment ]

Posted by Anonymous (193.171.xx.xx) on Tue 28 Mar 2006 at 11:12
IMO you shouldn't have to mess around with your ~/.xsession.

In debian, the package gnupg-agent contains the file /etc/X11/Xsession.d/90gpg-agent. To quote this file:

...

if grep -qs '^use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options"
...


So I guess as soon as you add the use-agent option to you gnupg config, The gpg-agent should start when starting X. (At least it works for me ;-)

Cheers,
Johannes

[ Parent | Reply to this comment ]

Posted by chris (217.8.xx.xx) on Tue 28 Mar 2006 at 12:10
[ View Weblogs ]
That is really interesting. I will look at this. If this is the case then absolutely - we should not be changing .xsession :)

[ Parent | Reply to this comment ]

Posted by jwm (203.79.xx.xx) on Tue 28 Mar 2006 at 11:35
There doesn't seem to be a lot of documentation for gpg-agent around—what does the "no-grab" option do?

[ Parent | Reply to this comment ]

Posted by chris (217.8.xx.xx) on Tue 28 Mar 2006 at 12:21
[ View Weblogs ]

Very good question.

The reason I wrote this article is that I really struggled to find out how to get it working. So - I thought I'd share it.

I added the no-grab option because it was in every example I found online.

Googling for gpg-agent no-grab gives pages and pages of results where people just use it.

So - I've just downloaded (apt-get source gnupg-agent) the source pacakge where you will find:

{ oNoGrab, "no-grab"     ,0, N_("do not grab keyboard and mouse")},

Without getting deep into the code I'm still not really any clearer - I'm guessing that it must be telling the agent not to read keyboard and mouse events (after all - we're using pinentry to handle entry of the passphrase)

[ Parent | Reply to this comment ]

Posted by Steve (212.20.xx.xx) on Tue 28 Mar 2006 at 14:41
[ View Steve's Scratchpad | View Weblogs ]

Reading the output of "gpg-agent --help" gives a small clue:

     --no-detach  do not detach from the console
     --no-grab    do not grab keyboard and mouse

What that actually means is a little bit uncertain, as you're correct in saying the documentation is .. minimal.

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (158.125.xx.xx) on Fri 31 Mar 2006 at 18:00
Great article(s)! I've been looking for an easy intro to GPG for over a year :-).


Wrt the question above; if it's anything like the ssh-askpass programs, they will grab the keyboard and mouse when asking for your password. The result of this is that any other program will not see that keyboard/mouse input whilst they're waiting for your passphrase.


The good side is that you don't type your passphrase (or bits of it) into an IM window that just popped up (though it won't if you're using a recent metacity version, this is just an example :-)) or into any other window that might exist.


The down side is that the system doesn't behave consistently; you can't do pretty much //anything// until you've entered the passphrase. If you mistype it, you get asked again, blocking you from using any other programs 'til you've entered the correct one.


I'm pretty sure that's it, it seems a common option amongst passphrase entry programs.


I will try this ASAP and am wondering if there is a GNOME frontend to keychain (or if GNOME keyring manager can be used to look after SSH and GPG keys -- the documentation for gnome-gpg is unhelpful and very sparse but it looks like it could do the job).


best regards,



Matthew

http://www.agrip.org.uk/

[ Parent | Reply to this comment ]

Posted by mvanbaak (80.126.xx.xx) on Tue 28 Mar 2006 at 20:37
Finally I got it working thanks to your article.
Good work!

[ Parent | Reply to this comment ]

Posted by Anonymous (70.49.xx.xx) on Wed 29 Mar 2006 at 22:39
This is really interesting. However does anyone know of a PAM module for authenticating to gpg, and spawning the gpg-agent similar to libpam-ssh?

To give some background info on libpam-ssh: its a PAM module that allows one to use the ssh-passphrase to allow user-authentication. I have modified my pam settings for GDM to use the libpam-ssh module. This means that before asking for my login password, gdm asks me for the ssh passphrase. If the passphrase is correct, it autmatically spawns ssh-agent and sets the appropriate environment variables in the new login.

Having something similar to this for gpg-agent would be really useful.

Secondly, why should we have two agents running: gpg-agent and ssh-agent? Is it possible to encrypt the ssh private key using the gpg (via gpg-agent)?

- my.email.is.ali.at.binish.com

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 268 votes ~ 1 comments )

 

 

Related Links