AW: Extraction of decryption session key without copying complete encrypted file

Fiedler Roman Roman.Fiedler at
Fri Aug 4 14:36:12 CEST 2017

> Von: Werner Koch [mailto:wk at]
> On Wed,  2 Aug 2017 15:52, Roman.Fiedler at said:
> > How to decrypt large files, e.g. gpg-encrypted backups, without
> copying them to the machine with the GPG private key?
> With GnuPG 2.1 this is easy:  You use ssh's socket forwarding feature to
> forward gpg-agent's restricted remote socket, for example
>   /run/user/1000/gnupg/S.gpg-agent.extra
> to the host and there you run gpg which will then connect back to the
> agent on your desktop.  For details see

Ah, that's great - and actually the first nice gpg-agent feature apart from 
gpg-agent being little annoying when running it on RAM-disks in early boot.

The agent forwarding guide from above is fine, should be easy to implement. 
Just one more question: how do I restrict the private key lifetime within the 
agent or the number of agent requests before password repeat is needed? Best 
would be 0 seconds (agent should ask for passphrase every time a key is 
requested), but I could also live with something below 60sec.

What's the best way to implement that? I did not find a gpg option by myself. 
If none available, I guess it might be possible to find some value for 
RLIMIT_CPU, that would kill the agent process when attempting to do another 
sign/decrypt operation?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4814 bytes
Desc: not available
URL: </pipermail/attachments/20170804/1fab9adc/attachment.bin>

More information about the Gnupg-users mailing list