Stop emacs caching gpg keys

Stop emacs caching gpg keys

[Colin Baxter]

Hello,

I have GnuPG (gpg) version 2.1.18. As is well known, this version of gpg
has the utterly annoying habit of storing gpg keys in the cache for some
time (1 hour default, I think).

To stop this happening I run 'gpgconf --kill gpg-agent'. This works fine
in bash scripts that control the encryption, where I can put that
command in the script.

This is not so straightforward if I encrypt a file using emacs. On
saving, and removing the buffer, a supposedly encrypted file can be
opened without the need to enter a password. Of course, I can open a
shell within emacs and run 'gpgconf --kill gpg-agent' in order to clear
the cache. But is there a simpler way - an elisp way - of achieving the
same result?

Thanks.

Colin Baxter.

Re: Stop emacs caching gpg keys

[moasenwood--- via Users list for the GNU Emacs text editor]

Colin Baxter wrote:

> This is not so straightforward if I encrypt a file using
> emacs. On saving, and removing the buffer, a supposedly
> encrypted file can be opened without the need to enter
> a password. Of course, I can open a shell within emacs and
> run 'gpgconf --kill gpg-agent' in order to clear the cache.

What do you do to encrypt from Emacs?

> But is there a simpler way - an elisp way - of achieving the
> same result?

There is always `shell-command', I guess...

-- 
underground experts united
http://user.it.uu.se/~embe8573
https://dataswamp.org/~incal

Re: Stop emacs caching gpg keys

[Colin Baxter]

>>>>> moasenwood--- via Users list for the GNU Emacs text editor <help-gnu-emacs@gnu.org> writes:

    > Colin Baxter wrote:
    >> This is not so straightforward if I encrypt a file using
    >> emacs. On saving, and removing the buffer, a supposedly encrypted
    >> file can be opened without the need to enter a password. Of
    >> course, I can open a shell within emacs and run 'gpgconf --kill
    >> gpg-agent' in order to clear the cache.

    > What do you do to encrypt from Emacs?

I do everything in emacs - don't you :-). Seriously, my use of emacs is
to encrypt org files.

    >> But is there a simpler way - an elisp way - of achieving the same
    >> result?

    > There is always `shell-command', I guess...

Yes, but do you know of any elisp hook that I could use to call the
shell-command, say whenever I close a encrypted buffer?

Best wishes,

Re: Stop emacs caching gpg keys

[moasenwood--- via Users list for the GNU Emacs text editor]

Colin Baxter wrote:

>> There is always `shell-command', I guess...
>
> Yes, but do you know of any elisp hook that I could use to
> call the shell-command, say whenever I close
> a encrypted buffer?

No, that's why I asked how you do this from Emacs to begin
with, that or those functions would be a good starting point
to look for additional functionality, or a hook if nothing
else...

If you don't find anything I guess you can use
`kill-buffer-hook' and then/there check if this needs to be
done...

-- 
underground experts united
http://user.it.uu.se/~embe8573
https://dataswamp.org/~incal

Re: Stop emacs caching gpg keys

[Colin Baxter]

>>>>> moasenwood--- via Users list for the GNU Emacs text editor <help-gnu-emacs@gnu.org> writes:

    > Colin Baxter wrote:
    >>> There is always `shell-command', I guess...
    >> 
    >> Yes, but do you know of any elisp hook that I could use to call
    >> the shell-command, say whenever I close a encrypted buffer?

    > No, that's why I asked how you do this from Emacs to begin with,
    > that or those functions would be a good starting point to look for
    > additional functionality, or a hook if nothing else...

    > If you don't find anything I guess you can use `kill-buffer-hook'
    > and then/there check if this needs to be done...

Ok. Thanks. You've given me a starting point for investigating further.

Best wishes,

Colin Baxter.

Re: Stop emacs caching gpg keys

[Gregor Zattler]

Hi Colin,
* Colin Baxter <m43cap@yandex.com> [30. Jan. 2021]:
> I have GnuPG (gpg) version 2.1.18. As is well known, this version of gpg
> has the utterly annoying habit of storing gpg keys in the cache for some
> time (1 hour default, I think).
>
> To stop this happening I run 'gpgconf --kill gpg-agent'. This works fine
> in bash scripts that control the encryption, where I can put that
> command in the script.

wouldn't it be easyier to configure gpg-agent:

--default-cache-ttl n
Set the time a cache entry is valid to n seconds.  The default
is 600 seconds.  Each time a cache entry is accessed, the  en‐
try's timer is reset.  To set an entry's maximum lifetime, use
max-cache-ttl.  Note that a cached passphrase may not  evicted
immediately  from  memory if no client requests a cache opera‐
tion.  This is due to an internal housekeeping function  which
is only run every few seconds.

--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds.  Af‐
ter  this  time  a  cache entry will be expired even if it has
been accessed recently  or  has  been  set  using  gpg-preset-
passphrase.  The default is 2 hours (7200 seconds).

Therefore I have this configuration:
~/.gnupg$ cat gpg-agent.conf
default-cache-ttl 300
max-cache-ttl 1200


Ciao, Gregor
--
 -... --- .-. . -.. ..--.. ...-.-

Re: Stop emacs caching gpg keys

[Colin Baxter]

Hello Gregor,
>>>>> Gregor Zattler <telegraph@gmx.net> writes:

    > Hi Colin, * Colin Baxter <m43cap@yandex.com> [30. Jan. 2021]:
    >> I have GnuPG (gpg) version 2.1.18. As is well known, this version
    >> of gpg has the utterly annoying habit of storing gpg keys in the
    >> cache for some time (1 hour default, I think).
    >> 
    >> To stop this happening I run 'gpgconf --kill gpg-agent'. This
    >> works fine in bash scripts that control the encryption, where I
    >> can put that command in the script.

    > wouldn't it be easyier to configure gpg-agent:

One would think so, but setting the time in which the cache holds the
password is not what I want. I am happy to hold passwords in the cache
but only up until the moment I want them removed, and of course this
moment varies from job to job.

I have looked at firestarter https://depp.brause.cc/firestarter/. This
goes some way to want I want, but not all the way. I think I'll stick
for the time being to using the shell-command as I mentioned in the OP.

Thank you for your interest and help.


Best wishes,

Colin.