Force gpg-agent to send OPTION allow-external-password-cache / SETKEYINFO in _all_ pinentry invocations

Ivan Shapovalov intelfx at
Wed Nov 7 09:18:48 CET 2018


As I understand the situation, the pinentry protocol includes some
commands and options ("OPTION allow-external-password-cache" and
"SETKEYINFO") that facilitate "external caching" of passphrases on the
pinentry side. The gpg-agent makes use of these features for most key
operations, and certain pinentries implement them by caching
passphrases in persistent encrypted keyrings (e. g. in the GNOME
keyring via org.freedesktop.Secrets dbus interface).

In the end, this gives a "single sign-on" semantics for the GPG keys: I
login with a single password, which decrypts the GNOME keyring, which
contains a GPG key passphrase, which is automatically used to answer
the pinentry request whenever I sign/decrypt something.

Of course, I use different transient passphrases for all these keys, to
avoid keeping my main passphrase in RAM at all times.

However, requests like `gpg --export-secret-keys` do not seem to
include SETKEYINFO in pinentry requests, so I am forced to manually
lookup the transient GPG key passphrase (which is not stored anywhere
except the GNOME keyring) every time I want to backup this key or
things like that.

Is it possible somehow to force gpg/gpg-agent to include "OPTION allow-
external-password-cache" and "SETKEYINFO" in _all_ pinentry

Or maybe I am overcomplicating things and my usecase (single sign-on
semantics for GPG keys) is best solved with something different? Or
maybe what I am doing is horribly insecure and I fail to see that?

Ivan Shapovalov / intelfx /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list