Posted by chris on Tue 28 Mar 2006 at 08:00
After going through the article on Gnu Privacy Guard (GPG) you've got gpg up and running. But - every time you need to encrypt, decrypt or sign, you need to enter your passphrase.
Wouldn't it be nice to have something similar to how ssh-agent handles ssh passphrases for you?
Well - you have - introducing gpg-agent!
gpg-agent is an application that can run as a daemon and remember your passphrase for you.
The best way to use it is to configure it to start at X login so that it is valid for any X apps/terminals on your desktop.
Configuration is straightforward once it has been installed:
apt-get install gnupg-agent pinentry-gtk
First - we need to tell gpg to use it
Edit the GPG configuration file ~/.gnupg/gpg.conf to either uncomment or add the line:
use-agent
Now - create a new file ~/.gnupg/gpg-agent.conf
Mine looks like:
pinentry-program /usr/bin/pinentry-x11 no-grab default-cache-ttl 1800
Here the pinentry-program specifies which program should be invoked to receive your passphrase the first time. There are several packages and programs available, which you can see by running:
skx@itchy:~$ apt-cache search ^pinentry pinentry-curses - curses-based PIN or pass-phrase entry dialog for GnuPG pinentry-doc - documentation for pinentry packages pinentry-gtk - GTK+-based PIN or pass-phrase entry dialog for GnuPG pinentry-gtk2 - GTK+-2-based PIN or pass-phrase entry dialog for GnuPG pinentry-qt - Qt-based PIN or pass-phrase entry dialog for GnuPG
Here we've installed the gtk variant, the curses version will work nicely for console access.
You can set your preferred ones using Debian's alternatives mechanism - but - I always use this under X - so I just linked directly to the x11 binary.
Now - we can test it - open a terminal - and then run:
eval "$(gpg-agent --daemon)"
This will set some environment variables. You can now try any gpg command that requires a passphrase - and gpg-agent will handle the passphrase request.
If things work the first time you run a command which would prompt for your GPG passphrase the pinentry variant we chose will be invoked to receive it, subsequent requests will proceed using the cached copy in memory.
Finally - to add this to start when you login to X - add the line to .xsession
eval "$(gpg-agent --daemon)"
KDE/Gnome users - you'll need to add this somewhere - rumours have reached me that you can try editing startkde or startgnome - but I don't really know. Hopefully some kind soul will add a comment to this article with the required info :)
Restart x and all should now be working.
If you use enigmail for thunderbird - don't forget to go into the preferences and check off for "Use gpg-agent" :)
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2006 chris - please ask for permission to republish or translate.