3.3 Caching passphrase

When using GnuPG (gpg) as the PGP scheme, we recommend using a program called gpg-agent for entering and caching passphrases1.

Variable: pgg-gpg-use-agent

If non-nil, attempt to use gpg-agent whenever possible. The default is t. If gpg-agent is not running, or GnuPG is not the current PGP scheme, PGG’s own passphrase-caching mechanism is used (see below).

To use gpg-agent with PGG, you must first ensure that gpg-agent is running. For example, if you are running in the X Window System, you can do this by putting the following line in your .xsession file:

eval "$(gpg-agent --daemon)"

For more details on invoking gpg-agent, See Invoking GPG-AGENT in Using the GNU Privacy Guard.

Whenever you perform a PGG operation that requires a GnuPG passphrase, GnuPG will contact gpg-agent, which prompts you for the passphrase. Furthermore, gpg-agent “caches” the result, so that subsequent uses will not require you to enter the passphrase again. (This cache usually expires after a certain time has passed; you can change this using the --default-cache-ttl option when invoking gpg-agent.)

If you are running in a X Window System environment, gpg-agent prompts for a passphrase by opening a graphical window. However, if you are running Emacs on a text terminal, gpg-agent has trouble receiving input from the terminal, since it is being sent to Emacs. One workaround for this problem is to run gpg-agent on a different terminal from Emacs, with the --keep-tty option; this tells gpg-agent use its own terminal to prompt for passphrases.

When gpg-agent is not being used, PGG prompts for a passphrase through Emacs. It also has its own passphrase caching mechanism, which is controlled by the variable pgg-cache-passphrase (see below).

There is a security risk in handling passphrases through PGG rather than gpg-agent. When you enter your passphrase into an Emacs prompt, it is temporarily stored as a cleartext string in the memory of the Emacs executable. If the executable memory is swapped to disk, the root user can, in theory, extract the passphrase from the swapfile. Furthermore, the swapfile containing the cleartext passphrase might remain on the disk after the system is discarded or stolen. gpg-agent avoids this problem by using certain tricks, such as memory locking, which have not been implemented in Emacs.

Variable: pgg-cache-passphrase

If non-nil, store passphrases. The default value of this variable is t. If you are worried about security issues, however, you could stop the caching of passphrases by setting this variable to nil.

Variable: pgg-passphrase-cache-expiry

Elapsed time for expiration in seconds.

If your passphrase contains non-ASCII characters, you might need to specify the coding system to be used to encode your passphrases, since GnuPG treats them as a byte sequence, not as a character sequence.

Variable: pgg-passphrase-coding-system

Coding system used to encode passphrase.


Footnotes

(1)

Actually, gpg-agent does not cache passphrases but private keys. On the other hand, from a user’s point of view, this technical difference isn’t visible.