Using gnupg-agent to securely retain keys

Posted by JoshTriplett on Wed 25 Oct 2006 at 10:15

gpg, the GNU Privacy Guard, provides a means for secure encryption and signing of all kinds of data, such as email, software distributions, or Debian packages. gnupg-agent safely stores your passphrase for use by gpg, giving you the convenience of not entering a passphrase frequently without the insecurity of a passphraseless key.

When using gpg, you have a public key distributable to anyone, and a private key that you must keep secret and secure. To help protect your private key, gpg lets you set a passphrase, which gpg uses to encrypt the key. Every time you work with gpg, it decrypts your private key with your passphrase, and keeps it in memory only as long as necessary to perform the requested operations. However, if you encrypt or sign data often, you may find it a hassle to keep entering your passphrase, and may become tempted to make the passphrase less secure or even remove it entirely, making your key vulnerable to anyone who manages to get access to your files. Rather than succumbing to this temptation, use gnupg-agent to securely and conveniently store your passphrase.

The gnupg-agent package provides a daemon gpg-agent, designed to run as part of your login session. To make initial setup trivial, the gnupg-agent package includes an X11 startup script /etc/X11/Xsession.d/90gpg-agent, which automatically starts gpg-agent as part of any X session, and sets the appropriate environment variables so gpg knows about the running gpg-agent. If you don't use X, and want gpg-agent available in a console session, just eval $(gpg-agent) in your shell startup script. To configure gpg to make use of gpg-agent when available, edit ~/.gnupg/gpg.conf, and add a line use-agent. Then, restart your session, and you should have gpg-agent running and the environment variable $GPG_AGENT_INFO set.

gpg will now automatically use the passphrase from gpg-agent if available and not timed out. However, you still need a way to enter the passphrase when gpg-agent does not already have it. To make this easier, install one of the pinentry programs, such as pinentry-gtk2 or pinentry-qt, and gpg will automatically use it to prompt for your passphrase when needed.

Most programs that invoke gpg to perform encryption or signing operations should continue to work with gpg-agent. You can ignore or turn off any passphrase-caching mechanisms in the programs themselves, in favor of gpg-agent. In some cases, however, you may need to explicitly tell the program to work with gpg-agent. For example, with the Enigmail extension to Thunderbird^WIcedove (highly recommended), you need to open OpenPGP->Preferences, go to the Advanced tab, and check "Use gpg-agent for passphrase handling".

Note that neither passphrases nor gpg-agent make your private key secure to leave on a box where other people have root access, nor do they mean that you can assume your private key remains safe after a break-in. You should still treat any access to your private key as a key compromise, and revoke the private key. The use of a passphrase just makes it far less likely that anyone will manage to exploit your private key before you revoke it, or before people obtain your revocation certificate.



Posted by Anonymous (131.188.xx.xx) on Wed 25 Oct 2006 at 11:02
Seahorse is btw a nice alternative to gnupg-agent. It provides both ssh-agent and gpg-agent facilities.

[ Parent | Reply to this comment ]

Posted by Anonymous (203.28.xx.xx) on Thu 26 Oct 2006 at 09:45
Yes, Seahorse is teh sh1t. Using crypto is now painless thanks to it.

[ Parent | Reply to this comment ]

Posted by Anonymous (37.15.xx.xx) on Tue 13 Nov 2012 at 12:02
painless crypto sounds like a f*cking oxymoron, doesn't it?

[ Parent | Reply to this comment ]

Posted by dkg (216.254.xx.xx) on Fri 27 Oct 2006 at 19:42
[ View dkg's Scratchpad | View Weblogs ]
Thanks for pointing out seahorse. I hadn't noticed it before, but i'll look into it. Do you know if it handles keys stored on smartcards as well?

[ Parent | Reply to this comment ]

Posted by Anonymous (134.96.xx.xx) on Thu 26 Oct 2006 at 10:21
Thanks for the article.

[ Parent | Reply to this comment ]

Posted by Anonymous (163.1.xx.xx) on Mon 30 Oct 2006 at 15:50
For info, I found that I needed to add the following to ~/.bashrc for it to work with Mutt:

export GPG_TTY=`tty`

[ Parent | Reply to this comment ]

Posted by Anonymous (192.30.xx.xx) on Wed 27 Aug 2008 at 18:39

If you are setting up to start gpg-agent for bash sessions, you want to add this to your startup script, adjusting paths as needed. You need the '--daemon' flag. The rest of the junk just makes it check for the file's executable permission first. It's not needed to do that, but it's a good practice. On my system, Ubuntu, the best place for me to stick this was in /etc/bash.bashrc.

if [ -x /usr/bin/gpg-agent ]; then
        /usr/bin/gpg-agent --daemon

[ Parent | Reply to this comment ]

Posted by Anonymous (109.145.xx.xx) on Fri 5 Sep 2014 at 21:06
Which stupid web page did you read that said it's good practise to check for the executable permission; did it say why? Much better to check the exit status of the command - now _that's_ good practise.

[ Parent | Reply to this comment ]

Sign In







Current Poll

Will you stick to systemd as the default in Debian?

( 25 votes ~ 1 comments )