Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Kgpg decrypts without asking for password

  1. #1

    Default Kgpg decrypts without asking for password

    Hi!

    It seems Kgpg can decrypt a file without asking for password. This happened when I encrypt a file, and then try to decrypt it again (shorthly after). But if I restart my computer after encryption I have to write the password to decrypt. My operation was:

    Code:
    vandel@linux-wkck:~> gpg --symmetric -v test.txt [now a kgpg popup opened automatically and asked me to "enter passphrase"]
    gpg: using cipher CAST5
    gpg: writing to `test.txt.gpg'
    vandel@linux-wkck:~> rm test.txt
    vandel@linux-wkck:~> gpg -v test.txt.gpg [this decrypted the file without asking for passphrase]
    gpg: CAST5 encrypted data
    gpg: encrypted with 1 passphrase
    gpg: original file name='test.txt'
    gpg: WARNING: message was not integrity protected
    I get the same result if I rightclick test.txt.gpg in Dolphin and select open with Kgpg or "Decrypt/Verify file" with Kleopatra.

    Also if I just decrypted a file and entered the password, and then try to decrypt it a second time, I'm not asked to enter the password the second time.

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,870
    Blog Entries
    3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by Vandel View Post
    It seems Kgpg can decrypt a file without asking for password. This happened when I encrypt a file, and then try to decrypt it again (shorthly after).
    "gpg-agent" is started at login. It remembers the key for several hours. I think you can configure how long the key is retained, in a "gpg-agent.conf" file.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by nrickert View Post
    "gpg-agent" is started at login. It remembers the key for several hours. I think you can configure how long the key is retained, in a "gpg-agent.conf" file.
    I don't have a file with that name, only ~/.gnupg/gpg.conf.
    Anyway, if the password is securely deleted after some hours I guess this is not a major issue.

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,870
    Blog Entries
    3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by Vandel View Post
    I don't have a file with that name, only ~/.gnupg/gpg.conf.
    You can create one. Check the man pages for gpg-agent. According to those pages, the default time to remember the key is 600 seconds.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Kgpg decrypts without asking for password

    On 2014-05-09 18:16, nrickert wrote:
    >
    > Vandel;2642154 Wrote:
    >> I don't have a file with that name, only ~/.gnupg/gpg.conf.

    >
    > You can create one. Check the man pages for gpg-agent. According to
    > those pages, the default time to remember the key is 600 seconds.


    It can be gpg-agent, but both kde and gnome provide their own
    password/passphrases agents (seahorse, kleopatra), and you can configure
    how much / if they are remembered.

    I don't have the full KDE installed in this laptop, so I can't check
    where it is done exactly.

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,870
    Blog Entries
    3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by robin_listas View Post
    It can be gpg-agent, but both kde and gnome provide their own
    password/passphrases agents (seahorse, kleopatra), and you can configure
    how much / if they are remembered.
    As far as I know, "seahorse" and "kleopatra" are two very different animals.

    In Gnome, "seahorse" replaces gpg-agent, and remembers keys without a time limit. Moreover, you can tell "seahorse" to save the key in the Gnome keyring, in which case it remembers keys across sessions.

    In KDE, as best I remember, "kleopatra" is just a gpg client which remains active once started, and does cache keys. Come to think of it, "kgpg" does the same thing, so it might have been "kgpg" rather than "gpg-agent" that was caching the key for the OP.

    I've mostly used "gpg" at the command line, where only gpg-agent is involved in caching.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  7. #7

    Default Re: Kgpg decrypts without asking for password

    Thanks for your replies.

    I checked Kgpg and Kleopatra and in Kleopatra there is a possibility to set the expiration time like this:

    In Settings -> Configure Kleopatra -> GnuPG System -> GPG agent

    I changed "Expire cached PINs after N seconds" to 60 s.

    Doing this in Kleopatra created the file gpg-agent.conf!

    Code:
    vandel@linux-wkck:~/.gnupg> cat gpg-agent.conf
    
    ###+++--- GPGConf ---+++###
    default-cache-ttl 60
    ###+++--- GPGConf ---+++### Sat 10 May 2014 12:20:24 PM CEST
    # GPGConf edited this configuration file.
    # It will disable options before this marked block, but it will
    # never change anything below these lines.
    Creating the file manually with this content I suppose also would have the same effect. I couldn't see that it was possible to configure the cache time in Kgpg too.

  8. #8
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,870
    Blog Entries
    3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by Vandel View Post
    Doing this in Kleopatra created the file gpg-agent.conf!
    Then Kleopatra is not actually caching your key. It is relying on gpg-agent to do that.

    Maybe Kgpg does the same -- relies on gpg-agent. In that case, the gpg-agent.conf setting will also apply to Kgpg. Now that you have it set to 60 seconds, you might test that with Kgpg. I'll note that what's in gpg-agent.conf probably does not take effect until you logout and login.

    I'm pretty sure that thunderbird with Enigmail also relies on gpg-agent for key caching.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  9. #9

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by nrickert View Post
    Then Kleopatra is not actually caching your key. It is relying on gpg-agent to do that.

    Maybe Kgpg does the same -- relies on gpg-agent. In that case, the gpg-agent.conf setting will also apply to Kgpg. Now that you have it set to 60 seconds, you might test that with Kgpg. I'll note that what's in gpg-agent.conf probably does not take effect until you logout and login.

    I'm pretty sure that thunderbird with Enigmail also relies on gpg-agent for key caching.
    Tested it and yes, the cache time for passwords in Kgpg changed too. And also when decrypting from the command line.

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,870
    Blog Entries
    3

    Default Re: Kgpg decrypts without asking for password

    Quote Originally Posted by Vandel View Post
    Tested it and yes, the cache time for passwords in Kgpg changed too. And also when decrypting from the command line.
    Okay. That's good (in my opinion). We don't need keys to be cached in multiple places. It's good that they all use gpg-agent for that.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •