how to prevent gnupg from decrypting files automatically?

I'm on OSX 10.13.4, I am learning how to use gnupg from the terminal. I encrypted a file with

gpg --cipher-algo AES256 -c input.txt -o output.gpg

it asked me for a password, I made one up, the file is now encrypted. But then, when I issue the command gpg -d output.gpg it decrypts it without asking me for the password ?_?

How do I prevent that?

EDIT

Following this I have set max-cache-ttl 0 in .gnupg/gpg-agent.conf and it seems to work, could anyone confirm that this is indeed the right thing to do?


Setting max-cache-ttl 0 in your .gnupg/gpg-agent.conf file does seem to be a good solution. Especially since it works.

There's also the gpg-agent option --no-allow-external-cache that's supposed to:

Tell Pinentry not to enable features which use an external cache for passphrases.

Some desktop environments prefer to unlock all credentials with one master pass‐ word and may have installed a Pinentry which employs an additional external cache to implement such a policy. By using this option the Pinentry is advised not to make use of such a cache and instead always ask the user for the requested passphrase.

That sounds like it should always ask for the passphrase, but it does not appear to do that. Or, it only always asks, when an external cache exists.

Or, you could keep letting gpg-agent cache passphrases, but on demand clear them with by sending a SIGHUP signal (with kill, killall, pkill, etc):

This signal flushes all cached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: quiet, verbose, debug, debug-all, debug-level, debug-pinen‐ try, no-grab, pinentry-program, pinentry-invisible-char, default-cache-ttl, max- cache-ttl, ignore-cache-for-signing, no-allow-external-cache, allow-emacs-pinen‐ try, no-allow-mark-trusted, disable-scdaemon, and disable-check-own-socket. scdaemon-program is also supported but due to the current implementation, which calls the scdaemon only once, it is not of much use unless you manually kill the scdaemon


Another way is to only disable the caching for symmetric encryption/decryption (that don't use public/private keypair). You can do this either with a command line option every time:

gpg --no-symkey-cache -c input.txt
gpg --no-symkey-cache -d output.gpg

Or you can add no-symkey-cache to ~/.gnupg/gpg.conf, then you won't need to add to the command line every time. Note that the --no-symkey-cache feature requires gpg 2.2.7 or later.

This solution is better if you only want to disable the caching for symmetric encryption/decryption that doesn't involve public/private keypairs. It will still cache the passphrases for public/private keypairs.