force gpg-agent to forget password

Question

I am using gpg-agent 2.0.17 with gpg 1.4.11 on ubuntu 12.04 and the Enigmail Addon for Thunderbird. When opening an encrypted email, Enigmail invokes gpg-agent with the associated pinentry program and asks for the password. I then have the option to set the lifetime for the cached password, usually set to end of the session.

Since I rarely shutdown or logout of my session, I would like to force gpg-agent to forget all cached passwords upon locking the session. I've searched for a way to do so and the man-page of gpg-agent states, that a -SIGHUP will flush all passwords - however, contrary to the manpage, the cached passwords are not forgotten.

Any ideas on how to force gpg-agent to forget the passwords?

score 31 · Answer 1 · answered Mar 10 '15 at 21:40

gpgconf --reload gpg-agent is one way to force the agent to forget passwords it has cached in memory. Currently (gpg 2.0-2.1) this is [almost] equivalent to pkill -HUP gpg-agent. I say "almost equivalent" since you could, in theory, have more than one agent running and the pkill will try to deliver SIGHUP to all of them.

DrBeco · Answer 2 · 2020-03-25T18:49:26.717

16

I use a simple:

echo RELOADAGENT | gpg-connect-agent

Work as a charm.

--

Edited: tested with Debian 10, gpg 2.2.12, libgcrypt 1.8.4

edited Mar 25 '20 at 18:49

answered Nov 19 '17 at 19:56

DrBeco

2,125

score 9 · Accepted Answer · edited Jan 05 '18 at 20:16

TTL for cache passwords is controlled by gpg-agent's options:

--default-cache-ttl n
  Set the time a cache entry is valid to n seconds.  The default is 600 seconds.

--max-cache-ttl n
  Set  the  maximum time a cache entry is valid to n seconds.  After
  this time a cache entry will be expired even if it has been accessed
  recently.  The default is 2 hours (7200 seconds).

As per a way to control this on-demand, if you are able to trigger a command upon locking your screen, using keychain to handle gpg-agent could be used to execute

keychain --clear --agents gpg

which would kill all managed instances of gpg-agent. But then, you should have a way to execute keychain --agents gpg --eval $gpg upon unlocking your screen. Maybe too much hassle.

score 2 · Answer 4 · answered Mar 14 '20 at 08:18

None of the other answers would work for me on GnuPG 2.2.19 (Solus 4.1, Nitrokey Smart, gnuk token for storage). I had made sure only one gpg-agent is running, and when appropriate it would respond with OK.
What I ended up doing is:

killall gpg-agent

You should always test, if the above really has made the passwords forgotten by decrypting some encrypted file (gpg -d < somefile.gpg)

Ben Creasy · Answer 5 · 2018-05-28T21:03:25.960

This is what worked for me in clearing a single password (i.e. passphrase) - run from the terminal - if you want to clear them all then https://superuser.com/a/1269901/457084 works:

gpg-connect-agent "clear_passphrase --mode=normal <cacheid>" /bye

where <cacheid> is most likely the keygrip available if you execute: gpg --list-keys --with-keygrip:

<path to pubring.kbx>
------------------------------------------------
pub   rsa2048 2017-12-11 [SC] [expires: 2019-12-11]
    <keyid>
    Keygrip = <keygrip>
uid          `<email>

With a bit of help from https://web.archive.org/web/20180528210236/https://demu.red/blog/2016/06/how-to-check-if-your-gpg-key-is-in-cache/

score 0 · Answer 6 · answered Dec 03 '19 at 00:45

0

gpg-connect-agent reloadagent /bye

answered Dec 03 '19 at 00:45

wisbucky

3,346

score 0 · Answer 7 · answered Feb 22 '24 at 10:26

0

To use this in a bashrc function, I want to have output suppressed and not leave open shells, so with thanks to @wisbucky and @DrBeco :

gpg-connect-agent reloadagent /bye >/dev/null

Works on Fedora 39

answered Feb 22 '24 at 10:26

TheDronist

1

force gpg-agent to forget password

7 Answers7