OpenPGP card and gpg-agent TTL
Matthias Apitz
guru at unixarea.de
Wed Nov 3 18:55:09 CET 2021
El día martes, noviembre 02, 2021 a las 06:34:16p. m. +0100, Werner Koch via Gnupg-users escribió:
> On Sat, 30 Oct 2021 15:50, Matthias Apitz said:
>
> > I just withdraw the USB dongle after the operation. I was thinking that
> > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> > state of the OpenPGP card, which it does not. How could I do this?
>
> No, it does not because it is the decision of the card how long the
> VERIFY command send to the card allows the use of the key. For most
> cards and keys the keys are unlocked by VERIFY until the card is powered
> down. The OpenPGP cards allow to limit the VERIFY command for the first
> key to one signing operation ("forcesig" toggles this).
>
> As a workaround use "gpgconf --reload scdaemon" to power down the card.
>
Thanks. As I will use the card in the phone mostly (only) with the pass
command, i've added this to the script to get the card locked after any
usage with pass:
purism at pureos:~$ tail -8 /usr/bin/pass
# power down the OpenPGP card
# guru at unixarea.de
#
gpgconf --reload scdaemon
sleep 2
exit 0
I have now my ~330 passwords always with me, encrypted with an OpenPGP
card, and available without any laptop or USB dongel, just in my phone -- a
big progress. Thanks to Purism to bring this with the L5 to the Linux world!
matthias
--
Matthias Apitz, ✉ guru at unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...
More information about the Gnupg-users
mailing list