OpenPGP card and gpg-agent TTL

Matthias Apitz guru at
Wed Nov 3 18:55:09 CET 2021

El día martes, noviembre 02, 2021 a las 06:34:16p. m. +0100, Werner Koch via Gnupg-users escribió:

> On Sat, 30 Oct 2021 15:50, Matthias Apitz said:
> > I just withdraw the USB dongle after the operation. I was thinking that
> > the gpg-agent.conf entry 'max-cache-ttl' will also expire the unlocked
> > state of the OpenPGP card, which it does not. How could I do this? 
> No, it does not because it is the decision of the card how long the
> VERIFY command send to the card allows the use of the key.  For most
> cards and keys the keys are unlocked by VERIFY until the card is powered
> down.  The OpenPGP cards allow to limit the VERIFY command for the first
> key to one signing operation ("forcesig" toggles this).
> As a workaround use "gpgconf --reload scdaemon" to power down the card.

Thanks. As I will use the card in the phone mostly (only) with the pass
command, i've added this to the script to get the card locked after any
usage with pass:

purism at pureos:~$ tail -8 /usr/bin/pass

# power down the OpenPGP card
# guru at
gpgconf --reload scdaemon
sleep 2

exit 0

I have now my ~330 passwords always with me, encrypted with an OpenPGP
card, and available without any laptop or USB dongel, just in my phone -- a
big progress.  Thanks to Purism to bring this with the L5 to the Linux world!


Matthias Apitz, ✉ guru at, +49-176-38902045
Public GnuPG key:
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

More information about the Gnupg-users mailing list