symmetric encryption and gpg-agent

Janna Martl janna.martl109 at
Fri Feb 19 21:59:24 CET 2016

Currently, I'm using gpg to store my email password encrypted on disk,
and have configured the programs I use to access the email server
(offlineimap and msmtp) to ask gpg-agent for that password. I've set
default-cache-ttl in gpg-agent.conf to a very high number, so I enter
the passphrase once when I log in and then don't have to enter it again.

Now, I have mixed feelings about how much I trust traditional password
managers, and I'm considering the idea of keeping a master password file
also symmetrically encrypted by gpg. Since it would be *all* of my
passwords, I want to be more careful with it, and don't want the
passphrase for the file sitting around in RAM. But currently, since I
have gpg-agent running with a high default-cache-ttl, if I encrypt a
file with gpg -c, I can decrypt it again later using gpg -d without
entering a password, which makes me uncomfortable.

I want to be able to use gpg without gpg-agent in this situation, but
this seems not to be possible; furthermore, the official documentation
discourages using more than one instance of gpg-agent.

So, is there a "good" way to get what I want: my email password stored
in a way that I only have to enter a passphrase once, and my master
password file stored in a way that I have to enter the passphrase every
time I want to look at the file?


-- J.M.

More information about the Gnupg-users mailing list