For example:. Remember to reload the agent after making changes to the configuration. To enter a password once a session, set them to something very high, for instance:. For password caching in SSH emulation mode, set default-cache-ttl-ssh and max-cache-ttl-ssh instead, for example:. Starting with GnuPG 2. In order to have the same type of functionality as the older releases two things must be done:.
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:. If you use multiple terminals simultaneously and want gpg-agent to ask for passphrase via pinentry-curses from the same terminal where the ssh command was run, add the following to the SSH configuration file. This will make the TTY to be refreshed every time an ssh command is run [4] :.
Once gpg-agent is running you can use ssh-add to approve keys, following the same steps as for ssh-agent. Once your key is approved, you will get a pinentry dialog every time your passphrase is needed. For password caching see Cache passwords. This requires a key with the Authentication capability see Custom capabilities. If your key is authentication-capable but this command still fails with "Unusable public key", add a! If your key is on a keycard, its keygrip is added to sshcontrol implicitly.
If not, get the keygrip of your key this way:. Then edit sshcontrol like this. Adding the keygrip is a one-time action; you will not need to edit the file again, unless you are adding additional keys.
GnuPG uses scdaemon as an interface to your smartcard reader, please refer to the man page scdaemon 1 for details. The value '0' refers to the first available serial port reader and a value of '' default refers to the first USB reader. If GnuPG's scdaemon fails to connect the smartcard directly e. To use pscsd install pcsclite and ccid. If you are using any smartcard with an opensc driver e. Out of the box you might receive a message like this when using gpg --card-status.
By default, scdaemon will try to connect directly to the device. This connection will fail if the reader is being used by another process. For example: the pcscd daemon used by OpenSC. To cope with this situation we should use the same underlying driver as opensc so they can work well together.
Please check scdaemon 1 if you do not use OpenSC. This means that to use GnuPG smartcard features you must before have to close all your open browser windows or do some other inconvenient operations. Starting from version 2. Then create a new entry. Other PKCS 11 clients like browsers may need to be restarted for that change to be applied. However, if you are using a version of GnuPG older than 2. It can be useful to encrypt some password, so it will not be written in clear on a configuration file.
A good example is your email password. First create a file with your password. You need to leave one empty line after the password, otherwise gpg will return an error message when evaluating the file. More details are in this email to the GnuPG list. By default the recipient's key ID is in the encrypted message. This can be removed at encryption time for a recipient by using hidden-recipient user-id.
To remove it for all recipients add throw-keyids to your configuration file. This helps to hide the receivers of the message and is a limited countermeasure against traffic analysis. Using a little social engineering anyone who is able to decrypt the message can check whether one of the other recipients is the one he suspects.
On the receiving side, it may slow down the decryption process because all available secret keys must be tried e. To allow users to validate keys on the keyservers and in their keyrings i. Keysigning parties allow users to get together at a physical location to validate keys. The Zimmermann-Sassaman key-signing protocol is a way of making these very effective.
Here you will find a how-to article. For an easier process of signing keys and sending signatures to the owners after a keysigning party, you can use the tool caff. To send the signatures to their owners you need a working MTA. If you do not have already one, install msmtp. To always show long key ID's add keyid-format 0xlong to your configuration file. To always show full fingerprints of keys, add with-fingerprint to your configuration file. For further customization also possible to set custom capabilities to your keys.
The following capabilities are available:. Comparably, to specify custom capabilities for subkeys, add the --expert flag to gpg --edit-key , see Edit your key for more information. The default configuration file is named gpg-agent. This option is ignored if used in an options file. Set the name of the home directory to dir. It is only recognized when given on the command line. On Windows systems it is possible to install GnuPG as a portable application.
In this case only this command line option is considered, all other ways to set a home directory are ignored. To install GnuPG as a portable application under Windows, create an empty file named gpgconf. The root of the installation is then that directory; or, if gpgconf. Outputs additional information while running. This option is only useful for testing; it sets the system time back or forth to epoch which is the number of seconds elapsed since the year Select the debug level for investigating problems.
All of the debug messages you can get. A value greater than 8 may be used instead of the keyword. The creation of hash tracing files is only enabled if the keyword is used. How these messages are mapped to the actual debugging flags is not specified and may change with newer releases of this program. They are however carefully selected to best aid in debugging. Set debug flags. All flags are or-ed and flags may be given in C syntax e. To get a list of all supported flags the single word "help" can be used.
This option is only useful for debugging and the behavior may change at any time without notice. When running in server mode, wait n seconds before entering the actual processing loop and print the pid.
This gives time to attach a debugger. It is only used for testing and should not be used for any production quality keys. This option is only effective when given on the command line. This option enables extra debug information pertaining to the Pinentry. As of now it is only useful when used along with --debug Format the info output in daemon mode for use with the standard Bourne shell or the C-shell respectively. The default is to guess it based on the environment variable SHELL which is correct in almost all cases.
Tell the pinentry to grab the keyboard and mouse. This option should be used on X-Servers to avoid X-sniffing attacks. Any use of the option --grab overrides an used option --no-grab. The default is --no-grab. If you don't use Secure Shell, you don't need the last two export statements. You should always add the following lines to your. So my objective from the 2nd question was trying to prevent every gpg command to start gpg-agent automatically so that I can start them manually.
But I don't need this method anymore when using --supervised option. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. How to run gpg agent with custom config when the agent starts automatically after running a specific gpg command? Ask Question. Asked 1 year, 1 month ago. Active 2 months ago. Viewed times. From the documentation, I can run gpg-agent with custom config like this and I think this is the official way: The following gpg-agent.
Improve this question. MaXi32 MaXi32 1 1 silver badge 9 9 bronze badges.
0コメント