How to let gpg-agent confirm each key usage
When running gpg-agent as part of my login session each program I run has access to my (possibly) unlocked PGP-key. It might be paranoid, but I want to get confirmation about each key usage, so I wish for an option to gpg-agent that when the passphrase or card pin is already cached it pops up a confirmation dialog before allowing access to the key.
For ssh-keys managed by gpg-agent such an option exists according to the manpage, but not for PGP.
Did I miss something?
Solution 1:
There is no option which simply displays a message. In the end, you've got to choose from two options:
-
Disable the cache completely, to make sure the passphrase is not stored at all:
--max-cache-ttl n Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).I'm not sure if a value of
0disables the cache completely or sets the maximum time to infinite -- you will easily be able to find out. Setting it to1seconds should probably be fine, either. -
There is an option to disable the cache when signing (while decryption still uses it):
--ignore-cache-for-signing This option will let gpg-agent bypass the passphrase cache for all signing operation. Note that there is also a per-session option to control this behaviour but this command line option takes precedence.The idea behind this is to prevent accidentally signing a message (which possibly cannot be undone), while accidentally decrypting a message probably won't do harm.
If considering these options, think about what attack you want to mitigate. If anybody is able to perform actions with your key, he's very likely able to run arbitrary commands anyway and might well install a trojan or key logger.