Jérôme Belleman
Home  •  Tools  •  Posts  •  Talks  •  Travels  •  Graphics  •  About Me

Using gpg-agent as a password manager

5 Jul 2014

Trouble is with password managers, there's so many of them to choose from. An approach I like for its simplicity, is to build up one based on gpg-agent.

1 Setting up and using gpg-agent

As soon as you can square with the fact that it will only remember private keys, not passwords, you'll find that gpg-agent is the way to go. That means that you keep passwords in files that will be encrypted with a key (itself best encrypted with a passphrase). Setting it all up is best done in ~/.xinitrc:

1
2
3
4
5
6
7
8
GPGAGENTINFOFILE=~/.gpg-agent-info
if [ -f $GPGAGENTINFOFILE ]; then
    . $GPGAGENTINFOFILE
fi
gpg-agent
if [ $? -ne 0 ]; then
    eval $(gpg-agent --daemon --write-env-file $GPGAGENTINFOFILE)
fi
  1. You need to set the GPG_AGENT_INFO environment variable by running ~/.gpg-agent-info (line 1). Bizarrely enough, there's no need to export it as it makes its way everywhere regardless. But if you did it in from ~/.zshrc you would have had to.
  2. Setting the environment variable is needed even to run gpg-agent without argument to check whether there's already one running (line 4).

    The documentation advises you against this because of possible race conditions: let's face it, they're unlikely, harmless, and we can't do it any better as ps presents the same risks and checking the presence of files even more so – in fact, the documentation doesn't have any better suggestion to offer, exactly because there isn't any.
  3. Run gpg-agent if needs be (line 5), evaluating its stdout on the fly to set environment variables. Note that it won't do anything useful without --daemon as it's not like you can run it as anything else than a daemon. The --write-env-file option is needed to get the environment variables out of ~/.gpg-agent-info in case you need to check if gpg-agent is still running and restart it.

Make sure use-agent is in ~/.gnupg/gpg.conf. Setting GPG_TTY as suggested in the documentation isn't needed, so don't bother. You may prefer to run pinentry-curses as opposed to pinentry-gtk2 (e.g. if you run it from an SSH session or if you don't like pinentry-gtk2 to steal and keep focus). On Ubuntu, just make sure the pinentry-gtk2 package isn't installed and the pinentry-curses one is.

With all this nicely set up, all you'll need to do to decrypt files is to run this command which will only cause gpg-agent to ask you for a passphrase once:

gpg -d secret.gpg

2 Alternative solutions

I once Googled up offlineimap → OfflineIMAP which listed suggestions for Not having to enter the password all the time. One of them was about using python-keyring, which works not only with GNOME Keyring but also with e.g. Mac OS X's Keychain. There's also pass which is probably worth a check.

3 References