Force GPG to Prompt for a Password Every Time
Overviewβ
By default, gpg-agent caches your passphrase for a few minutes after you enter it.
This means subsequent decryptions may not prompt for a password, even if you expect them to.
For sensitive files (e.g., AWS credentials, SSH keys, or private archives), you can disable caching entirely β forcing Ubuntuβs GPG dialog (pinentry) to appear every time you decrypt a file.
𧩠Step 1: Edit GPG Agent Configurationβ
Open or create the agent config file:
nano ~/.gnupg/gpg-agent.conf
Add the following lines:
default-cache-ttl 0
max-cache-ttl 0
default-cache-ttlβ how long (in seconds) the passphrase stays cachedmax-cache-ttlβ the absolute upper limit on caching time
Setting both to 0 disables caching completely.
π Step 2: Reload the Agentβ
After saving, reload GPG agent settings:
gpgconf --reload gpg-agent
Or restart the agent manually if necessary:
gpgconf --kill gpg-agent
gpg-agent --daemon
π Step 3: Test the Behaviorβ
Run a decryption command:
gpg -d ~/.aws/credentials.gpg
You should always see the Ubuntu password dialog (pinentry) appear, no matter how recently you used GPG.
π§ Notesβ
-
This affects all GPG operations for your user account.
-
Itβs perfect for protecting credentials or private files you only decrypt on demand.
-
To revert, just remove the lines from
~/.gnupg/gpg-agent.confor restore default TTLs, e.g.:default-cache-ttl 600
max-cache-ttl 7200
β Example Use Caseβ
You can combine this with a script-based credential loader (something like creds_get.sh for AWS) to ensure a password prompt appears each time credentials are decrypted:
gpg -d ~/.aws/credentials.gpg > ~/.aws/credentials
Now, your credentials are only accessible while youβre physically present to authorize the decryption.