0

About GPG is mentioned the gpg-agent and I read the following answer:

Where is mentioned the --default-cache-ttl and --max-cache-ttl options. So I found this official source:

--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds.
Each time a cache entry is accessed, the entry's timer is reset.
To set an entry's maximum lifetime, use max-cache-ttl
 Note that a cached passphrase may not be evicted immediately from memory if
no client requests a cache operation. This is due to an internal housekeeping
function which is only run every few seconds.

--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds.
After this time a cache entry will be expired even if it
has been accessed recently or has been set using gpg-preset-passphrase.
The default is 2 hours (7200 seconds).

Therefore consider the main question as follows:

  • What is the difference and relation between the --default-cache-ttl and --max-cache-ttl options?

And as secondary questions the following:

  • What is exactly the cache entry?
  • What is the criteria of the gpg-agent to know when consider/apply the --default-cache-ttl and --max-cache-ttl options?

Therefore I want clearly understand the points/scenarios/criteria about when and why was considered the 600 seconds (10 minutes) and 7200 seconds (2hrs) according with each option

Improve this question

1 Answer 1

Reset to default
1

When the agent is running, it handles passphrase requests. When the user enters a passphrase, it is added to a cache. The default-cache-ttl and max-cache-ttl set timeouts for that cache:

  • all entries time out when max-cache-ttl expires, measured after their first use
  • unused entries time out when default-cache-ttl expires, measured after their latest use

If I enter a passphrase now, and keep re-using it within the default cache timeout (which defaults to ten minutes), I won’t need to re-enter it until the maximum cache timeout is reached (two hours). This is useful when I perform many operations requiring my secret key within a short period; for example, reworking commits, or signing lots of emails.

The two settings are a compromise between convenience and security. On the convenience side of things, as long as I re-use my key within ten minutes, I don’t need to re-enter my passphrase for two hours. On the security side of things, if I’ve been using my key, and someone else accesses my unlocked device, they can impersonate me for at most two hours.

Improve this answer
1
  • Huge thanks for the reply, with the first paragraph now is clear the relation about how one setting affects or triggers the other. And with the second paragraph is clear the consequence of each scenario. Commented Apr 7 at 17:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.