Using gnupg-agent to securely retain keys
Posted by JoshTriplett on Wed 25 Oct 2006 at 10:15
gpg, the GNU Privacy Guard, provides a means for secure encryption and signing of all kinds of data, such as email, software distributions, or Debian packages. gnupg-agent safely stores your passphrase for use by gpg, giving you the convenience of not entering a passphrase frequently without the insecurity of a passphraseless key.
When using gpg, you have a public key distributable to anyone, and a private key that you must keep secret and secure. To help protect your private key, gpg lets you set a passphrase, which gpg uses to encrypt the key. Every time you work with gpg, it decrypts your private key with your passphrase, and keeps it in memory only as long as necessary to perform the requested operations. However, if you encrypt or sign data often, you may find it a hassle to keep entering your passphrase, and may become tempted to make the passphrase less secure or even remove it entirely, making your key vulnerable to anyone who manages to get access to your files. Rather than succumbing to this temptation, use gnupg-agent to securely and conveniently store your passphrase.
The gnupg-agent package provides a daemon gpg-agent, designed to run as part of your login session. To make initial setup trivial, the gnupg-agent package includes an X11 startup script
/etc/X11/Xsession.d/90gpg-agent, which automatically starts gpg-agent as part of any X session, and sets the appropriate environment variables so gpg knows about the running gpg-agent. If you don't use X, and want gpg-agent available in a console session, just eval $(gpg-agent) in your shell startup script. To configure gpg to make use of gpg-agent when available, edit
~/.gnupg/gpg.conf, and add a line use-agent. Then, restart your session, and you should have gpg-agent running and the environment variable
gpg will now automatically use the passphrase from gpg-agent if available and not timed out. However, you still need a way to enter the passphrase when gpg-agent does not already have it. To make this easier, install one of the pinentry programs, such as pinentry-gtk2 or pinentry-qt, and gpg will automatically use it to prompt for your passphrase when needed.
Most programs that invoke gpg to perform encryption or signing operations should continue to work with gpg-agent. You can ignore or turn off any passphrase-caching mechanisms in the programs themselves, in favor of gpg-agent. In some cases, however, you may need to explicitly tell the program to work with gpg-agent. For example, with the Enigmail extension to Thunderbird^WIcedove (highly recommended), you need to open OpenPGP->Preferences, go to the Advanced tab, and check "Use gpg-agent for passphrase handling".
Note that neither passphrases nor gpg-agent make your private key secure to leave on a box where other people have root access, nor do they mean that you can assume your private key remains safe after a break-in. You should still treat any access to your private key as a key compromise, and revoke the private key. The use of a passphrase just makes it far less likely that anyone will manage to exploit your private key before you revoke it, or before people obtain your revocation certificate.