1GPG-AGENT(1)                   GNU Privacy Guard                  GPG-AGENT(1)
2
3
4

NAME

6       gpg-agent - Secret key management for GnuPG
7

SYNOPSIS

9       gpg-agent [--homedir dir] [--options file] [options]
10       gpg-agent [--homedir dir] [--options file] [options] --server
11       gpg-agent  [--homedir  dir]  [--options  file] [options] --daemon [com‐
12       mand_line]
13
14

DESCRIPTION

16       gpg-agent is a daemon to manage  secret  (private)  keys  independently
17       from  any  protocol.  It is used as a backend for gpg and gpgsm as well
18       as for a couple of other utilities.
19
20       The agent is usualy started on demand by gpg, gpgsm,  gpgconf  or  gpg-
21       connect-agent.   Thus there is no reason to start it manually.  In case
22       you want to use the included Secure Shell Agent you may start the agent
23       using:
24
25         gpg-connect-agent /bye
26
27
28       The usual way to run the agent is from the ~/.xsession file:
29
30         eval $(gpg-agent --daemon)
31
32       If  you  don't use an X server, you can also put this into your regular
33       startup file ~/.profile or .bash_profile.  It is best not to run multi‐
34       ple instance of the gpg-agent, so you should make sure that only one is
35       running: gpg-agent uses an environment variable to inform clients about
36       the  communication  parameters. You can write the content of this envi‐
37       ronment variable to a file so that you can test for  a  running  agent.
38       Here is an example using Bourne shell syntax:
39
40         gpg-agent --daemon --enable-ssh-support \
41                   --write-env-file "${HOME}/.gpg-agent-info"
42
43       This code should only be run once per user session to initially fire up
44       the agent.  In the example the optional support for the included Secure
45       Shell  agent  is enabled and the information about the agent is written
46       to a file in the HOME directory.  Note that by running gpg-agent  with‐
47       out arguments you may test whether an agent is already running; however
48       such a test may lead to a race condition, thus it is not suggested.
49
50
51       The second script needs to be run for each interactive session:
52
53         if [ -f "${HOME}/.gpg-agent-info" ]; then
54           . "${HOME}/.gpg-agent-info"
55           export GPG_AGENT_INFO
56           export SSH_AUTH_SOCK
57         fi
58
59
60       It reads the data out of the file and exports the  variables.   If  you
61       don't use Secure Shell, you don't need the last two export statements.
62
63
64       You  should  always add the following lines to your .bashrc or whatever
65       initialization file is used for all shell invocations:
66
67         GPG_TTY=$(tty)
68         export GPG_TTY
69
70
71       It is important that this environment variable always reflects the out‐
72       put of the tty command.  For W32 systems this option is not required.
73
74       Please  make  sure  that  a  proper pinentry program has been installed
75       under the default filename (which  is  system  dependant)  or  use  the
76       option  pinentry-program  to specify the full name of that program.  It
77       is often useful to install a symbolic link from the actual used  pinen‐
78       try   (e.g.   ‘/usr/bin/pinentry-gtk’)   to   the  expected  one  (e.g.
79/usr/bin/pinentry’).
80
81
82
83

COMMANDS

85       Commands are not distinguished from options except for  the  fact  that
86       only one command is allowed.
87
88
89       --version
90              Print  the program version and licensing information.  Note that
91              you cannot abbreviate this command.
92
93
94       --help
95
96       -h     Print a usage message summarizing the most  useful  command-line
97              options.  Note that you cannot abbreviate this command.
98
99
100       --dump-options
101              Print  a  list of all available options and commands.  Note that
102              you cannot abbreviate this command.
103
104
105       --server
106              Run in server mode and wait for  commands  on  the  stdin.   The
107              default  mode  is  to  create  a  socket and listen for commands
108              there.
109
110
111       --daemon [command line]
112              Start the gpg-agent as a daemon; that is,  detach  it  from  the
113              console  and run it in the background.  Because gpg-agent prints
114              out important information required for further use, a common way
115              of  invoking  gpg-agent  is: eval $(gpg-agent --daemon) to setup
116              the  environment  variables.   The  option  --write-env-file  is
117              another way commonly used to do this.  Yet another way is creat‐
118              ing a new process as a child of  gpg-agent:  gpg-agent  --daemon
119              /bin/sh.  This way you get a new shell with the environment set‐
120              up properly; if you exit from this shell,  gpg-agent  terminates
121              as well.
122
123

OPTIONS

125       --options file
126              Reads  configuration  from file instead of from the default per-
127              user configuration file.   The  default  configuration  file  is
128              named  ‘gpg-agent.conf’  and  expected in the ‘.gnupg’ directory
129              directly below the home directory of the user.
130
131
132
133       --homedir dir
134              Set the name of the home directory to dir. If this option is not
135              used,  the  home  directory  defaults to ‘~/.gnupg’.  It is only
136              recognized when given on the command line.   It  also  overrides
137              any  home  directory  stated  through  the  environment variable
138GNUPGHOME’ or (on W32 systems) by means of the  Registry  entry
139              HKCU\Software\GNU\GnuPG:HomeDir.
140
141
142
143
144       -v
145
146       --verbose
147              Outputs  additional information while running.  You can increase
148              the verbosity by giving several verbose commands to gpgsm,  such
149              as '-vv'.
150
151
152       -q
153
154       --quiet
155              Try to be as quiet as possible.
156
157
158       --batch
159              Don't  invoke  a  pinentry or do any other thing requiring human
160              interaction.
161
162
163       --faked-system-time epoch
164              This option is only useful for testing; it sets the system  time
165              back  or  forth  to epoch which is the number of seconds elapsed
166              since the year 1970.
167
168
169       --debug-level level
170              Select the debug level for investigating problems. level may  be
171              a numeric value or a keyword:
172
173
174              none   No  debugging at all.  A value of less than 1 may be used
175                     instead of the keyword.
176
177              basic  Some basic debug messages.  A value between 1 and  2  may
178                     be used instead of the keyword.
179
180              advanced
181                     More verbose debug messages.  A value between 3 and 5 may
182                     be used instead of the keyword.
183
184              expert Even more detailed messages.  A value between 6 and 8 may
185                     be used instead of the keyword.
186
187              guru   All  of  the  debug messages you can get. A value greater
188                     than 8 may be used instead of the keyword.  The  creation
189                     of  hash  tracing files is only enabled if the keyword is
190                     used.
191
192       How these messages are mapped to the  actual  debugging  flags  is  not
193       specified  and may change with newer releases of this program. They are
194       however carefully selected to best aid in debugging.
195
196
197       --debug flags
198              This option is only useful for debugging and the  behaviour  may
199              change  at  any  time without notice.  FLAGS are bit encoded and
200              may be given in usual C-Syntax. The currently defined bits are:
201
202
203              0 (1)  X.509 or OpenPGP protocol related data
204
205              1 (2)  values of big number integers
206
207              2 (4)  low level crypto operations
208
209              5 (32) memory allocation
210
211              6 (64) caching
212
213              7 (128)
214                     show memory statistics.
215
216              9 (512)
217                     write hashed data to files named dbgmd-000*
218
219              10 (1024)
220                     trace Assuan protocol
221
222              12 (4096)
223                     bypass all certificate validation
224
225
226       --debug-all
227              Same as --debug=0xffffffff
228
229
230       --debug-wait n
231              When running in server mode, wait n seconds before entering  the
232              actual  processing  loop  and print the pid.  This gives time to
233              attach a debugger.
234
235
236       --no-detach
237              Don't detach the process from the console.  This is mainly  use‐
238              ful for debugging.
239
240
241       -s
242
243       --sh
244
245       -c
246
247       --csh  Format  the info output in daemon mode for use with the standard
248              Bourne shell or the C-shell respectively.   The  default  is  to
249              guess  it  based on the environment variable SHELL which is cor‐
250              rect in almost all cases.
251
252
253       --write-env-file file
254              Often it is required to connect to the agent from a process  not
255              being an inferior of gpg-agent and thus the environment variable
256              with the socket name is not available.  To help setting up those
257              variables  in  other  sessions, this option may be used to write
258              the information into file.  If file is not specified the default
259              name  ‘${HOME}/.gpg-agent-info’  will  be  used.   The format is
260              suitable to be evaluated by a Bourne shell like in  this  simple
261              example:
262
263         eval $(cat file)
264         eval $(cut -d= -f 1 < file | xargs echo export)
265
266
267
268
269       --no-grab
270              Tell  the  pinentry  not  to  grab the keyboard and mouse.  This
271              option should  in  general  not  be  used  to  avoid  X-sniffing
272              attacks.
273
274
275
276       --log-file file
277              Append all logging output to file.  This is very helpful in see‐
278              ing what the agent actually does.  If neither a log file  nor  a
279              log file descriptor has been set on a Windows platform, the Reg‐
280              istry entry HKCU\Software\GNU\GnuPG:DefaultLogFile, if  set,  is
281              used to specify the logging output.
282
283
284
285
286       --allow-mark-trusted
287              Allow  clients  to  mark keys as trusted, i.e. put them into the
288trustlist.txt’ file.  This is by default not allowed to make it
289              harder for users to inadvertently accept Root-CA keys.
290
291
292
293       --allow-loopback-pinentry
294              Allow  clients  to  use  the loopback pinentry features; see the
295              option pinentry-mode for details.
296
297
298       --ignore-cache-for-signing
299              This option will let gpg-agent bypass the passphrase  cache  for
300              all  signing  operation.   Note that there is also a per-session
301              option to control this behaviour but this  command  line  option
302              takes precedence.
303
304
305       --default-cache-ttl n
306              Set  the  time a cache entry is valid to n seconds.  The default
307              is 600 seconds.
308
309
310       --default-cache-ttl-ssh n
311              Set the time a cache entry used for SSH keys is valid to n  sec‐
312              onds.  The default is 1800 seconds.
313
314
315       --max-cache-ttl n
316              Set the maximum time a cache entry is valid to n seconds.  After
317              this time a cache entry will be expired  even  if  it  has  been
318              accessed recently.  The default is 2 hours (7200 seconds).
319
320
321       --max-cache-ttl-ssh n
322              Set the maximum time a cache entry used for SSH keys is valid to
323              n seconds.  After this time a cache entry will be  expired  even
324              if  it has been accessed recently.  The default is 2 hours (7200
325              seconds).
326
327
328       --enforce-passphrase-constraints
329              Enforce the passphrase constraints by not allowing the  user  to
330              bypass them using the ``Take it anyway'' button.
331
332
333       --min-passphrase-len n
334              Set  the  minimal  length  of a passphrase.  When entering a new
335              passphrase shorter than this value a warning will be  displayed.
336              Defaults to 8.
337
338
339       --min-passphrase-nonalpha n
340              Set  the minimal number of digits or special characters required
341              in a passphrase.  When entering a new passphrase with less  than
342              this  number  of  digits or special characters a warning will be
343              displayed.  Defaults to 1.
344
345
346       --check-passphrase-pattern file
347              Check the passphrase against the pattern given  in  file.   When
348              entering  a new passphrase matching one of these pattern a warn‐
349              ing will be displayed. file should be an absolute filename.  The
350              default is not to use any pattern file.
351
352              Security  note: It is known that checking a passphrase against a
353              list of pattern or even against a  complete  dictionary  is  not
354              very  effective  to  enforce  good passphrases.  Users will soon
355              figure up ways to bypass such a policy.  A better policy  is  to
356              educate  users on good security behavior and optionally to run a
357              passphrase cracker regularly on all users passphrases  to  catch
358              the very simple ones.
359
360
361       --max-passphrase-days n
362              Ask  the  user  to  change  the passphrase if n days have passed
363              since the last  change.   With  --enforce-passphrase-constraints
364              set the user may not bypass this check.
365
366
367       --enable-passphrase-history
368              This option does nothing yet.
369
370
371       --pinentry-program filename
372              Use program filename as the PIN entry.  The default is installa‐
373              tion dependent.
374
375
376       --pinentry-touch-file filename
377              By default the filename of the socket gpg-agent is listening for
378              requests  is  passed to Pinentry, so that it can touch that file
379              before exiting (it does this only in curses mode).  This  option
380              changes  the  file  passed to Pinentry to filename.  The special
381              name /dev/null may be used to completely disable  this  feature.
382              Note  that  Pinentry  will  not  create  that file, it will only
383              change the modification and access time.
384
385
386
387       --scdaemon-program filename
388              Use program filename as the Smartcard daemon.   The  default  is
389              installation  dependent  and  can be shown with the gpgconf com‐
390              mand.
391
392
393       --disable-scdaemon
394              Do not make use of the  scdaemon  tool.   This  option  has  the
395              effect  of  disabling  the  ability  to do smartcard operations.
396              Note, that enabling this option at  runtime  does  not  kill  an
397              already forked scdaemon.
398
399
400       --disable-check-own-socket
401              gpg-agent  employs  a  periodic  self-test  to  detect  a stolen
402              socket.  This usually means a second instance of  gpg-agent  has
403              taken  over the socket and gpg-agent will then terminate itself.
404              This option may be used to disable this self-test for  debugging
405              purposes.
406
407
408       --use-standard-socket
409
410       --no-use-standard-socket
411              By  enabling  this  option  gpg-agent  will listen on the socket
412              named ‘S.gpg-agent’, located in the home directory, and not cre‐
413              ate a random socket below a temporary directory.  Tools connect‐
414              ing to gpg-agent should first try to connect to the socket given
415              in  environment  variable  GPG_AGENT_INFO  and then fall back to
416              this socket.  This option may not be used if the home  directory
417              is  mounted  on a remote file system which does not support spe‐
418              cial files like fifos or sockets.   Note,  that  --use-standard-
419              socket  is  the  default  on all systems since GnuPG 2.1.  Note,
420              that --use-standard-socket is the default  on  Windows  systems.
421              The  default  may  be  changed at build time.  It is possible to
422              test at runtime whether the agent has been  configured  for  use
423              with the standard socket by issuing the command gpg-agent --use-
424              standard-socket-p which returns success if the  standard  socket
425              option has been enabled.
426
427
428       --display string
429
430       --ttyname string
431
432       --ttytype string
433
434       --lc-ctype string
435
436       --lc-messages string
437
438       --xauthority string
439              These options are used with the server mode to pass localization
440              information.
441
442
443       --keep-tty
444
445       --keep-display
446              Ignore requests to change the current tty or X  window  system's
447              DISPLAY  variable  respectively.   This  is  useful  to lock the
448              pinentry to pop up at the tty or display you started the agent.
449
450
451
452       --enable-ssh-support
453
454              Enable the OpenSSH Agent protocol.
455
456              In this mode of operation, the agent does not only implement the
457              gpg-agent  protocol, but also the agent protocol used by OpenSSH
458              (through a separate socket).  Consequently, it should be  possi‐
459              ble  to  use the gpg-agent as a drop-in replacement for the well
460              known ssh-agent.
461
462              SSH Keys, which are to be used through the  agent,  need  to  be
463              added  to  the  gpg-agent initially through the ssh-add utility.
464              When a key is added, ssh-add will ask for the  password  of  the
465              provided  key  file and send the unprotected key material to the
466              agent; this causes the gpg-agent to ask for a passphrase,  which
467              is  to be used for encrypting the newly received key and storing
468              it in a gpg-agent specific directory.
469
470              Once a key has been added to the gpg-agent this  way,  the  gpg-
471              agent will be ready to use the key.
472
473              Note:  in  case  the gpg-agent receives a signature request, the
474              user might need to be prompted for a passphrase, which is neces‐
475              sary  for decrypting the stored key.  Since the ssh-agent proto‐
476              col does not contain a mechanism for telling the agent on  which
477              display/terminal it is running, gpg-agent's ssh-support will use
478              the TTY or X display  where  gpg-agent  has  been  started.   To
479              switch  this  display  to the current one, the following command
480              may be used:
481
482         gpg-connect-agent updatestartuptty /bye
483
484       Although all GnuPG components try to start  the  gpg-agent  as  needed,
485       this  is  not  possible  for  the ssh support because ssh does not know
486       about it.  Thus if no GnuPG tool which accesses the agent has been run,
487       there  is no guarantee that ssh is abale to use gpg-agent for authenti‐
488       cation.  To fix this you may start gpg-agent if needed using this  sim‐
489       ple command:
490
491         gpg-connect-agent /bye
492
493       Adding the --verbose shows the progress of starting the agent.
494
495
496       All  the long options may also be given in the configuration file after
497       stripping off the two leading dashes.
498
499
500

EXAMPLES

502       The usual way to invoke gpg-agent is
503
504         $ eval $(gpg-agent --daemon)
505
506       An alternative way is by replacing ssh-agent with  gpg-agent.   If  for
507       example  ssh-agent  is  started as part of the Xsession initialization,
508       you may simply replace ssh-agent by a script like:
509
510         #!/bin/sh
511
512         exec /usr/local/bin/gpg-agent --enable-ssh-support --daemon \
513               --write-env-file ${HOME}/.gpg-agent-info "$@"
514
515
516       and add something like (for Bourne shells)
517
518           if [ -f "${HOME}/.gpg-agent-info" ]; then
519             . "${HOME}/.gpg-agent-info"
520             export GPG_AGENT_INFO
521             export SSH_AUTH_SOCK
522           fi
523
524
525       to your shell initialization file (e.g. ‘~/.bashrc’).
526
527
528

FILES

530       There are a few configuration files needed for  the  operation  of  the
531       agent.  By  default they may all be found in the current home directory
532       (see: [option --homedir]).
533
534
535
536       gpg-agent.conf
537                This is the standard configuration file read by gpg-agent on
538                startup.  It may contain any valid long option; the leading
539                two dashes may not be entered and the option may not be abbre‐
540              viated.
541                This file is also read after a SIGHUP however only a few
542                options  will  actually have an effect.  This default name may
543              be
544                changed on the command line (see: [option --options]).
545                You should backup this file.
546
547
548       trustlist.txt
549                This is the list of trusted  keys.   You  should  backup  this
550              file.
551
552                Comment  lines,  indicated  by a leading hash mark, as well as
553              empty
554                lines are ignored.  To mark a key as trusted you need to enter
555              its
556                fingerprint  followed  by  a  space  and  a  capital letter S.
557              Colons
558                may optionally be used to separate the bytes of a fingerprint;
559              this
560                allows  to  cut  and  paste the fingerprint from a key listing
561              output.  If
562                the line is prefixed with a ! the key is explicitly marked as
563                not trusted.
564
565                Here is an example where two keys  are  marked  as  ultimately
566              trusted
567                and one as not trusted:
568
569                .RS 2
570                # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
571                A6935DD34EF3087973C706FC311AA2CCF733765B S
572
573                # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
574                DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
575
576                # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
577                !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
578                .fi
579
580       Before entering a key into this file, you need to ensure its
581       authenticity.  How to do this depends on your organisation; your
582       administrator might have already entered those keys which are deemed
583       trustworthy enough into this file.  Places where to look for the
584       fingerprint of a root certificate are letters received from the CA or
585       the website of the CA (after making 100% sure that this is indeed the
586       website of that CA).  You may want to consider allowing interactive
587       updates of this file by using the see: [option --allow-mark-trusted].
588       This is however not as secure as maintaining this file manually.  It is
589       even advisable to change the permissions to read-only so that this file
590       can't be changed inadvertently.
591
592       As a special feature a line include-default will include a global
593       list of trusted certificates (e.g. ‘/etc/gnupg/trustlist.txt’).
594       This global list is also used if the local list is not available.
595
596       It is possible to add further flags after the S for use by the
597       caller:
598
599
600
601              relax  Relax checking of some root certificate requirements.  As of now this
602                     flag allows the use of root certificates with a missing basicConstraints
603                     attribute (despite that it is a MUST for CA certificates) and disables
604                     CRL checking for the root certificate.
605
606
607              cm     If validation of a certificate finally issued by a CA with this flag set
608                     fails, try again using the chain validation model.
609
610
611
612
613       sshcontrol
614              This file is used when support for the secure shell agent protocol has
615              been enabled (see: [option --enable-ssh-support]). Only keys present in
616              this file are used in the SSH protocol.  You should backup this file.
617
618              The ssh-add tool may be used to add new entries to this file;
619              you may also add them manually.  Comment lines, indicated by a leading
620              hash mark, as well as empty lines are ignored.  An entry starts with
621              optional whitespace, followed by the keygrip of the key given as 40 hex
622              digits, optionally followed by the caching TTL in seconds and another
623              optional field for arbitrary flags.  A non-zero TTL overrides the global
624              default as set by --default-cache-ttl-ssh.
625
626              The only flag support is confirm.  If this flag is found for a
627              key, each use of the key will pop up a pinentry to confirm the use of
628              that key.  The flag is automatically set if a new key was loaded into
629              gpg-agent using the option -c of the ssh-add
630              command.
631
632              The keygrip may be prefixed with a ! to disable an entry entry.
633
634              The following example lists exactly one key.  Note that keys available
635              through a OpenPGP smartcard in the active smartcard reader are
636              implicitly added to this list; i.e. there is no need to list them.
637
638                .RS 2
639                # Key added on: 2011-07-20 20:38:46
640                # Fingerprint:  5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
641                34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
642                .fi
643
644
645       private-keys-v1.d/
646
647                This is the directory where gpg-agent stores the private keys.  Each
648                key is stored in a file with the name made up of the keygrip and the
649                suffix ‘key’.  You should backup all files in this directory
650                and take great care to keep this backup closed away.
651
652
653
654              Note that on larger installations, it is useful to put predefined
655              files into the directory ‘/etc/skel/.gnupg/’ so that newly created
656              users start up with a working configuration.  For existing users the
657              a small helper script is provided to create these files (see: [addgnupghome]).
658
659
660
661
662

SIGNALS

664       A  running  gpg-agent may be controlled by signals, i.e. using the kill
665       command to send a signal to the process.
666
667       Here is a list of supported signals:
668
669
670
671       SIGHUP This signal flushes all cached passphrases and  if  the  program
672              has  been  started  with a configuration file, the configuration
673              file is read again.  Only certain options  are  honored:  quiet,
674              verbose,  debug,  debug-all, debug-level, no-grab, pinentry-pro‐
675              gram, default-cache-ttl,  max-cache-ttl,  ignore-cache-for-sign‐
676              ing,  allow-mark-trusted,  disable-scdaemon,  and disable-check-
677              own-socket.  scdaemon-program is also supported but due  to  the
678              current  implementation,  which calls the scdaemon only once, it
679              is not of much use unless you manually kill the scdaemon.
680
681
682
683       SIGTERM
684              Shuts down the process but waits until all current requests  are
685              fulfilled.   If  the process has received 3 of these signals and
686              requests are still pending, a shutdown is forced.
687
688
689       SIGINT Shuts down the process immediately.
690
691
692       SIGUSR1
693              Dump internal information to the log file.
694
695
696       SIGUSR2
697              This signal is used for internal purposes.
698
699
700
701

SEE ALSO

703       gpg2(1), gpgsm(1), gpg-connect-agent(1), scdaemon(1)
704
705       The full documentation for this tool is maintained as a Texinfo manual.
706       If  GnuPG and the info program are properly installed at your site, the
707       command
708
709         info gnupg
710
711       should give you access to the complete manual including a  menu  struc‐
712       ture and an index.
713
714
715
716GnuPG 2.0.22                      2018-07-13                      GPG-AGENT(1)
Impressum