The gpg-agent is an important part of GnuPG that plays a similar role to the ssh-agent in OpenSSH. It has been integrated into the system as of GnuPG version 2.0.x and performs several tasks related to the management of keys and passphrases. One of the main functions of the gpg-agent is to store private key passphrases in memory for a period of time. This eliminates the need to re-enter the passphrase each time it operates. The gpg-agent takes over the query of the passphrase from the user and stores it temporarily.
In GnuPG version 2.0.x, the gpg-agent is an optional element. However, as of version 2.3, it is an integral part, and all operations involving private keys are performed through the gpg-agent. This makes it possible to store the keys on another computer and use them only indirectly. An important feature of the gpg-agent in GnuPG 2.0.x is also access to smart cards. The gpg-agent can be activated via environment variables that can be used by programs to communicate with the gpg-agent. For example, an email client such as Thunderbird can contact the gpg-agent via the environment variable GPG_AGENT_INFO. This allows programs to use the gpg-agent to manage private keys and retrieve passphrases.
In most Unix-like desktop environments, the gpg-agent starts automatically. If it is not running, it will be started automatically by gpg, gpgsm and gpgconf. You can also manually communicate with the gpg-agent via the gpg-connect-agent program to gain access to the stored passphrases. Overall, the gpg-agent plays an important role in the secure management of keys and passphrases in GnuPG by simplifying and optimizing their access and use.
---
Command Line Tips for Using gpg-agent
Installing the gpg-agent is typically straightforward, as it is often bundled with GnuPG, the GNU Privacy Guard. Here are the general steps to install GnuPG, which includes the gpg-agent:
Linux (Debian/Ubuntu):
1 2 | sudo apt-get update sudo apt-get install gnupg |
Linux (Red Hat/Fedora):
1 | sudo dnf install gnupg |
macOS (Homebrew):
1 | brew install gnupg |
Windows:
You can download the GnuPG installer from the official GnuPG website and follow the installation instructions provided. Once GnuPG is installed, the gpg-agent is automatically configured and started as a background process when needed. However, you may need to configure additional settings depending on your specific requirements.
Check gpg-agent Status
To check if the gpg-agent is running, you can use the gpgconf command:
1 | gpgconf --list-dirs agent-socket |
Set Maximum Cache Lifetime
You can set the maximum cache lifetime for passphrase caching using the gpgconf command:
1 | gpgconf --change-options gpg-agent --default-cache-ttl |
Restart gpg-agent
If you need to restart the gpg-agent for any reason, you can use the gpg-connect-agent reloadagent /bye command:
1 | gpg-connect-agent reloadagent /bye |
Use gpg-agent for SSH Authentication
To enable gpg-agent for SSH authentication, add the following line to your ~/.gnupg/gpg-agent.conf file:
1 | enable-ssh-support |
Enable Smart Card Support
If you’re using smart cards or hardware tokens, you can enable smart card support in gpg-agent configuration:
1 2 | use-standard-socket scdaemon-program /usr/bin/scdaemon |
List Cached Passphrases
To list all cached passphrases stored by gpg-agent, use the following command:
1 | gpg-connect-agent 'getinfo cached-passphrases' /bye |
Change Cache Expiry Time
You can change the cache expiry time for passphrases using the max-cache-ttl option in ~/.gnupg/gpg-agent.conf:
1 | max-cache-ttl |
Use gpg-agent in Other Applications
Many applications that rely on GnuPG for encryption and signing, such as email clients and file managers, can automatically use the gpg-agent once it’s configured and running.
