The Computer Oracle

force gpg-agent to forget password

--------------------------------------------------
Rise to the top 3% as a developer or hire one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------

Music by Eric Matyas
https://www.soundimage.org
Track title: Quiet Intelligence

--

Chapters
00:00 Force Gpg-Agent To Forget Password
00:45 Answer 1 Score 27
01:12 Answer 2 Score 15
01:29 Accepted Answer Score 8
02:11 Answer 4 Score 2
02:42 Answer 5 Score 1
03:09 Thank you

--

Full question
https://superuser.com/questions/586969/f...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#linux #gnupg #enigmail

#avk47


ANSWER 1

Score 27


gpgconf --reload gpg-agent is one way to force the agent to forget passwords it has cached in memory. Currently (gpg 2.0-2.1) this is [almost] equivalent to pkill -HUP gpg-agent. I say "almost equivalent" since you could, in theory, have more than one agent running and the pkill will try to deliver SIGHUP to all of them.



ANSWER 2

Score 15


I use a simple:

echo RELOADAGENT | gpg-connect-agent

Work as a charm.

--

Edited: tested with Debian 10, gpg 2.2.12, libgcrypt 1.8.4



ACCEPTED ANSWER

Score 8


TTL for cache passwords is controlled by gpg-agent's options:

--default-cache-ttl n
  Set the time a cache entry is valid to n seconds.  The default is 600 seconds.

--max-cache-ttl n
  Set  the  maximum time a cache entry is valid to n seconds.  After
  this time a cache entry will be expired even if it has been accessed
  recently.  The default is 2 hours (7200 seconds).

As per a way to control this on-demand, if you are able to trigger a command upon locking your screen, using keychain to handle gpg-agent could be used to execute

keychain --clear --agents gpg

which would kill all managed instances of gpg-agent. But then, you should have a way to execute keychain --agents gpg --eval $gpg upon unlocking your screen. Maybe too much hassle.



ANSWER 4

Score 2


None of the other answers would work for me on GnuPG 2.2.19 (Solus 4.1, Nitrokey Smart, gnuk token for storage). I had made sure only one gpg-agent is running, and when appropriate it would respond with OK.
What I ended up doing is:

killall gpg-agent

You should always test, if the above really has made the passwords forgotten by decrypting some encrypted file (gpg -d < somefile.gpg)



ANSWER 5

Score 1


This is what worked for me in clearing a single password (i.e. passphrase) - run from the terminal - if you want to clear them all then https://superuser.com/a/1269901/457084 works:

gpg-connect-agent "clear_passphrase --mode=normal <cacheid>" /bye

where <cacheid> is most likely the keygrip available if you execute: gpg --list-keys --with-keygrip:

<path to pubring.kbx>
------------------------------------------------
pub   rsa2048 2017-12-11 [SC] [expires: 2019-12-11]
    <keyid>
    Keygrip = <keygrip>
uid          `<email>

With a bit of help from https://web.archive.org/web/20180528210236/https://demu.red/blog/2016/06/how-to-check-if-your-gpg-key-is-in-cache/