Page MenuHome GnuPG

gpg-agent: Fail on expiring YubiKey PIN
Closed, ResolvedPublic


My OS is Artix Linux (rolling release).

My GnuPG version is:

gpg (GnuPG) 2.2.41
libgcrypt 1.10.1-unknown

installed from the pacman package manager.

I have a YubiKey 5 NFC as a smartcard of OpenPGP, where I have my sub-keys. The master key only has the Certification attribute, my sub-keys have the remaining attributes.

My ~/.gnupg/gpg-agent.conf is:

default-cache-ttl 60
max-cache-ttl 120
pinentry-program /usr/bin/pinentry-curses

If I plug my YubiKey into the USB plug, and enter my PIN for example, to decrypt some file, and then wait more than 2 minutes; the gpg-agent cache doesn't seem to be expiring, because it does not ask for the PIN again. In fact, to me, it always uses the first PIN that I entered, like if the cache is forever.

I want my YubiKey PIN to expire after 2 minutes, but I don't know what else to do.

I suppose this is a gpg-agent bug, because I seem to have done things right.

I need help, please.



Event Timeline

werner added a subscriber: werner.

Smartcard PINs are different from passphrase for on-disk keys. Once a PIN is entered the smartcard is unlocked as long as it is powered up. In theory we could power down and power up the card to lock it. The question here is what is your threat model? If you have malware on your system it could simply brick your token or, more common, peek at your PIN.

I never made a threat model. But definitely *any* cracker, should be out of my system, either from governmental agencies or from a kiddo in Russia.
I know that I have someone that is remote accessing my machine, since I got some tells. And that this cracker have used my Emacs text editor.

Well, is seems I can only unplug the YubiKey when I am not using it.

Thank you.

werner claimed this task.