When using GnuPG (gpg) as the PGP scheme, we recommend using a program
called gpg-agent for entering and caching
passphrases1.
If non-nil, attempt to use gpg-agent whenever possible.
The default is t. If gpg-agent is not running, or GnuPG
is not the current PGP scheme, PGG’s own passphrase-caching mechanism
is used (see below).
To use gpg-agent with PGG, you must first ensure that
gpg-agent is running. For example, if you are running in the X
Window System, you can do this by putting the following line in your
.xsession file:
eval "$(gpg-agent --daemon)"
For more details on invoking gpg-agent, See Invoking
GPG-AGENT in Using the GNU Privacy Guard.
Whenever you perform a PGG operation that requires a GnuPG passphrase,
GnuPG will contact gpg-agent, which prompts you for the
passphrase. Furthermore, gpg-agent “caches” the result, so
that subsequent uses will not require you to enter the passphrase
again. (This cache usually expires after a certain time has passed;
you can change this using the --default-cache-ttl option when
invoking gpg-agent.)
If you are running in a X Window System environment, gpg-agent
prompts for a passphrase by opening a graphical window. However, if
you are running Emacs on a text terminal, gpg-agent has trouble
receiving input from the terminal, since it is being sent to Emacs.
One workaround for this problem is to run gpg-agent on a
different terminal from Emacs, with the --keep-tty option; this
tells gpg-agent use its own terminal to prompt for passphrases.
When gpg-agent is not being used, PGG prompts for a passphrase
through Emacs. It also has its own passphrase caching mechanism,
which is controlled by the variable pgg-cache-passphrase (see
below).
There is a security risk in handling passphrases through PGG rather
than gpg-agent. When you enter your passphrase into an Emacs
prompt, it is temporarily stored as a cleartext string in the memory
of the Emacs executable. If the executable memory is swapped to disk,
the root user can, in theory, extract the passphrase from the
swapfile. Furthermore, the swapfile containing the cleartext
passphrase might remain on the disk after the system is discarded or
stolen. gpg-agent avoids this problem by using certain tricks,
such as memory locking, which have not been implemented in Emacs.
If non-nil, store passphrases. The default value of this
variable is t. If you are worried about security issues,
however, you could stop the caching of passphrases by setting this
variable to nil.
Elapsed time for expiration in seconds.
If your passphrase contains non-ASCII characters, you might need to specify the coding system to be used to encode your passphrases, since GnuPG treats them as a byte sequence, not as a character sequence.
Coding system used to encode passphrase.
Actually, gpg-agent does not cache
passphrases but private keys. On the other hand, from a user’s point
of view, this technical difference isn’t visible.