Do smartcards stay unlocked forever by design?

Marco Steinacher marco+gnupg at
Tue Jan 18 17:21:44 CET 2011

On 01/17/2011 04:03 PM, Grant Olson wrote:
> I've been using a smartcard for several months now.  It's a cryptostick
> if the model is important.  Every time I sign something, it asks me for
> my pin.  But once the card is unlocked, ssh authentication and
> decryption seem to happen forever, regardless of any ttl-cache settings
> in gpg-agent.conf.  I just want to make sure I understand the semantics
> correctly.
> It seems:
> 1) Once I enter my pin, the card is unlocked as long as it's connected.


> 2) I get prompted when making a signature because the sig counter gets
> incremented, and that's a write operation to the card.  Decrypting and
> authenticating don't prompt because the operations don't write to the card.

I think it's rather because signing is considered more precarious than
decrypting or authenticating and not because it involves a write
operation. You can disable this behavior by changing the signature PIN
flag to 'not forced' with 'gpg --card-edit'.

> 3) The proper way to 'lock' the card is to remove it from the reader.

Yes, or if you can reload the scdaemon with 'gpgconf --reload scdaemon'.
This should have the same effect. I wrote a small script that does this
for me whenever the smartcard hasn't been used for some time. I do this
to reduce the chance that someone can use the unlocked card while I'm
away or when I forget to pull the card.


More information about the Gnupg-users mailing list