pilobilus.net a website that might grow on you

A Bug Fix for gnupg-agent on Linux Mint 14

© 2013 SF Kinney
Released under Creative Commons BY-NC-SA 3.0 license

After installing Linux Mint, importing my crypto keys and setting up Enigmail in Thunderbird, I ran into a problem: A program included with Mint 14 stores the user's GPG pass phrases, once entered, until the machine is turned off. There is no easily accessible way to change this behavior. As configured on Mint 14, gnupg-agent enables your little sister or nosy roommate to read or copy your encrypted mail and files "at will" any time your back is turned. Most people who understand how the GPG cryptosystem works would agree, pass phrases exist for good reasons and arbitrarily bypassing them is a Bad Thing.

The configuration file gpg-agent.conf is supposed to be in the user's home dirctory, in the hidden .gnupg folder. In this file, the user can specify gnupg-agent's behavior including how long it stores pass phrases. This file was not present on my Mint 14 system, and creating it with appropriate contents per the gnupg-agent manual had no effect on gnupg-agent's behavior.

This work-around bypasses gnupg-agent to prevent it from collecting GPG pass phrases:

The GPG configuration file, gpg.conf, lives in the hidden .gnupg folder in the user's home directory. (Enable viewing hidden files to find it.) Open gpg.conf in a text editor and comment out the line "use-agent" by replacing it with "# use-agent". Save the file and GPG will revert to normal handling of passphrases, without calling up gnupg-agent.

To prevent the Enigmail plugin for Thunderbird from using gnupg-agent, it is necessary to keep Thunderbird from reading the GPG_AGENT_INFO environment variable. This can be done by opening Thunderbird with with a script instead of its normal run command. Create a text file with these three lines:

exec /usr/bin/thunderbird "$@"

If your Thunderbird program file lives elsewhere, adjust the path /usr/bin/thunderbird to reflect its actual location. Save this file as (for instance) thunderbird.sh in your home directory. Make the file executable: Right-click on it, select "Properties" and check the "Allow executing file as program" box in the Permissions tab. (Or pop open a terminal and do: chmod +x thunderbird.sh ) Edit the start menu entry for Thunderbird, changing the command it issues from "thunderbird %u" to "/home/[your_username]/thunderbird.sh" You can also edit other shortcuts by right clicking on them and selecting "Properties" or "Edit".

Credentials stored by gnupg-agent are supposed to expire in ten minutes by default - not "on system shutdown." Upstream, Debian says that gnupg-agent is not a security issue because "physical access is game over." This is correct if your adversary is an expert at offensive hacking and arrives prepared to exploit your system, but it is a very weak argument for enabling unskilled snoopers to read your encrypted mail and files any time your back is turned. Hopefully the folks who package Mint will fix this behavior soon, and gnupg-agent will start saving pass phrases for 10 minutes as a convenience feature, instead of saving them indefinitely.