That blog post, factual error or not?
peter at digitalbrains.com
Wed Jul 6 20:33:48 CEST 2016
I scanned through your blog post before I wrote my reply. Now as I
was about to close the webpage, my eye caught this remark in a smaller
font at the bottom:
> GnuPG Agent only caches the passphrase protecting the key, never the
> key itself—it reads the key from file everytime the key is required,
> which means that as soon as the key file is removed from the agent’s
> directory, the key is no longer available;
Is this actually the case though? Have you checked the source or did an
strace? Before v2.1, gpg-agent only cached passphrases for OpenPGP
usage, and the gpg/gpg2-binary did the actual decrypting and using of
the private key material. However, in v2.1, the agent itself is
responsible for using the private key. I haven't looked at the internal
design, perhaps only the passphrase is cached and the key is decrypted
from disk each time. But that seems like a rather indirect method to
solve it, why not cache the decrypted key instead of the passphrase?
In fact, when you export a key, it will always prompt for a passphrase,
because it needs it to construct an OpenPGP private key packet. Why
would it need to do that if it had the passphrase cached? I think it
keeps the key cached, and discards knowledge of the passphrase as no
longer relevant. Of course, there are more steps between passphrase and
key file, perhaps it only stores one of those intermediate steps, which
could explain it as well.
I think the behaviour you are seeing might be that the agent notices you
removed the key, and it will forget about it. But it deliberately
forgets, it's not that it actually needs the file you removed.
Of course, if you checked the source, you know more than I. I just found
the comment surprising, so I thought I'd ask.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users