Remembering gpg pass-phrase for certain processes

I use GNU’s password store (pass) to save all my passwords including my email passwords.
I have a passphrase set on my GPG keys which is then remembered by gpg-agent for an hour. I also have a cron job that pulls my emails at regular intervals which obtains the email passwords using pass.

What this means is that the cron job only works when I have entered my passphrase so that the gpg-agent remembers the passphrase. Otherwise the cron job fails.

I would like to always have the passphrase remembered for this one cron job, but not for other processes. Is there a way to do so?

What is the correct way to handle such a use-case? I am tempted to remove the passphrase all together.

Asked By: Tohiko


You don’t need to remove passphrases for all your keys. However, gpg-agent is not designed to have multiple settings for different keys. Therefore, I think your best bet is to create an additional password store associated with a different gpg key without a passphrase and use that for your cron jobs.

Basically, create a new directory (e.g. cronjob_key) in your password store, a new key (gpg --full-generate-key) without passphrase and set that directory as the path in pass init -p cronjob-key [GPG-ID].

You can apply the same procedure for your old key and have the following directory structure:

|-- old_key
|   |-- .gpg-id
|-- cronjob_key
    |-- .gpg-id

Now you can generate new passwords for each password store: pass generate cronjob_key/service2 16 and pass generate old_key/service1 16:

|-- old_key
|   |-- .gpg-id
|   `-- service1.gpg
`-- cronjob_key
    |-- .gpg-id
    `-- service2.gpg  -> this one doesn't require passphrase

You need to assume that if your computer gets compromised, then the attacker will have access to services using this "passwordless" key. That’s the trade-off you must be willing to make for the convenience of automating your cronjobs. This is equivalent to the use of cookies available in most web services, so it shouldn’t be to difficult to accept this as a viable alternative.

Answered By: Robert Smith
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.