I am using gpg-agent 2.0.17 with gpg 1.4.11 on ubuntu 12.04 and the Enigmail Addon for Thunderbird. When opening an encrypted email, Enigmail invokes gpg-agent with the associated pinentry program and asks for the password. I then have the option to set the lifetime for the cached password, usually set to end of the session.
Since I rarely shutdown or logout of my session, I would like to force gpg-agent to forget all cached passwords upon locking the session. I've searched for a way to do so and the man-page of gpg-agent states, that a -SIGHUP will flush all passwords - however, contrary to the manpage, the cached passwords are not forgotten.
Any ideas on how to force gpg-agent to forget the passwords?
16 Answers
TTL for cache passwords is controlled by gpg-agent's options:
--default-cache-ttl n Set the time a cache entry is valid to n seconds. The default is 600 seconds.
--max-cache-ttl n Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently. The default is 2 hours (7200 seconds).As per a way to control this on-demand, if you are able to trigger a command upon locking your screen, using keychain to handle gpg-agent could be used to execute
keychain --clear --agents gpgwhich would kill all managed instances of gpg-agent.
But then, you should have a way to execute keychain --agents gpg --eval $gpg upon unlocking your screen. Maybe too much hassle.
gpgconf --reload gpg-agent is one way to force the agent to forget passwords it has cached in memory. Currently (gpg 2.0-2.1) this is [almost] equivalent to pkill -HUP gpg-agent. I say "almost equivalent" since you could, in theory, have more than one agent running and the pkill will try to deliver SIGHUP to all of them.
I use a simple:
echo RELOADAGENT | gpg-connect-agentWork as a charm.
--
Edited: tested with Debian 10, gpg 2.2.12, libgcrypt 1.8.4
None of the other answers would work for me on GnuPG 2.2.19 (Solus 4.1, Nitrokey Smart, gnuk token for storage). I had made sure only one gpg-agent is running, and when appropriate it would respond with OK.
What I ended up doing is:
killall gpg-agentYou should always test, if the above really has made the passwords forgotten by decrypting some encrypted file (gpg -d < somefile.gpg)
This is what worked for me in clearing a single password (i.e. passphrase) - run from the terminal - if you want to clear them all then works:
gpg-connect-agent "clear_passphrase --mode=normal <cacheid>" /bye
where <cacheid> is most likely the keygrip available if you execute:gpg --list-keys --with-keygrip:
<path to pubring.kbx>
------------------------------------------------
pub rsa2048 2017-12-11 [SC] [expires: 2019-12-11] <keyid> Keygrip = <keygrip>
uid `<email>With a bit of help from
1gpg-connect-agent reloadagent /bye
