When using GnuPG (gpg) as the PGP scheme, we recommend using a program
gpg-agent for entering and caching
nil, attempt to use
gpg-agentwhenever possible. The default is
gpg-agentis not running, or GnuPG is not the current PGP scheme, PGG's own passphrase-caching mechanism is used (see below).
gpg-agent with PGG, you must first ensure that
gpg-agent is running. For example, if you are running in the X
Window System, you can do this by putting the following line in your
eval "$(gpg-agent --daemon)"
For more details on invoking
gpg-agent, See Invoking GPG-AGENT.
Whenever you perform a PGG operation that requires a GnuPG passphrase,
GnuPG will contact
gpg-agent, which prompts you for the
gpg-agent “caches” the result, so
that subsequent uses will not require you to enter the passphrase
again. (This cache usually expires after a certain time has passed;
you can change this using the
--default-cache-ttl option when
If you are running in a X Window System environment,
prompts for a passphrase by opening a graphical window. However, if
you are running Emacs on a text terminal,
gpg-agent has trouble
receiving input from the terminal, since it is being sent to Emacs.
One workaround for this problem is to run
gpg-agent on a
different terminal from Emacs, with the
--keep-tty option; this
gpg-agent use its own terminal to prompt for passphrases.
gpg-agent is not being used, PGG prompts for a passphrase
through Emacs. It also has its own passphrase caching mechanism,
which is controlled by the variable
There is a security risk in handling passphrases through PGG rather
gpg-agent. When you enter your passphrase into an Emacs
prompt, it is temporarily stored as a cleartext string in the memory
of the Emacs executable. If the executable memory is swapped to disk,
the root user can, in theory, extract the passphrase from the
swapfile. Furthermore, the swapfile containing the cleartext
passphrase might remain on the disk after the system is discarded or
gpg-agent avoids this problem by using certain tricks,
such as memory locking, which have not been implemented in Emacs.
nil, store passphrases. The default value of this variable is
t. If you are worried about security issues, however, you could stop the caching of passphrases by setting this variable to
If your passphrase contains non-ASCII characters, you might need to specify the coding system to be used to encode your passphrases, since GnuPG treats them as a byte sequence, not as a character sequence.
gpg-agent does not cache
passphrases but private keys. On the other hand, from a user's point
of view, this technical difference isn't visible.