That blog post, factual error or not?

Damien Goutte-Gattat dgouttegattat at
Wed Jul 6 21:03:11 CEST 2016

Hi Peter,

On 07/06/2016 08:33 PM, Peter Lebbing wrote:
>> GnuPG Agent only caches the passphrase protecting the key, never the
>> key itself—it reads the key from file everytime the key is required,
>> which means that as soon as the key file is removed from the agent’s
>> directory, the key is no longer available;
> Is this actually the case though? Have you checked the source

Yes I did. That's how I found out this behavior actually.

If you want to check by yourself, have a look for example at the 
function agent_pkdecrypt (in the agent/pkdecrypt.c file), which 
implements the agent's PKDECRYPT command. One of the first thing this 
function does is to call agent_key_from_file (defined in 
agent/findkey.c), which *inconditionnally* reads the key from its file 
storage. The key is freed at the end of the agent_pkdecrypt function, 
without having been cached anywhere (only the passphrase is cached, in 
the function unprotect.c in agent/findkey.c).

The agent_pksign function, which implements the PKSIGN command and needs 
the signing (sub)key, behaves similarly.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160706/5b3c1797/attachment.sig>

More information about the Gnupg-users mailing list