A computer’s physical security is important, such as locking the screen and keeping the machine itself secure.

But say you have your GPG and SSH keys open, and someone were to gain access to the system. It’s possible they could use the key while it’s passphrase it cached. Or even dump the memory contents and get the passphrase, using a physical card reader made to do this.

If you could tell GPG/SSH to drop the private key passphrases, then you may avoid this.

Warning

I say “may” because I am not a security expert. This article explores a possible method to employ this. But as I don’t know the exact method these agents employ to secure their secrets in various Linux distros and computer architectures, the agents may still have your passphrase even after being told to lock/forget them. Or even the OS may store it. Make sure to test, research, and double check it.

Warning

Memory modules have been known to keep their memory contents for minutes (or longer) after turning off the computer. This is why many OS’s that are built for privacy will erase the memory contents on shutdown.

Causing Amnesia

There are two different ways we can do this. First is by using a timeout to direct GPG/SSH on how long to keep our cached credentials. The second is to employ a script to tell the GPG/SSH agents to forget the credentials once the screensaver is activated.

Both of these methods can be used at the same time.

After a Timeout

For GPG, add this to your ~/.gnupg/gpg-agent.conf. It will tell GPG to only cache the credentials for one hour (3600 seconds).

default-cache-ttl 3600
max-cache-ttl 3600

For SSH agent this is specified by the -t option of ssh-agent. Look for this file and edit it (or check for one like it).

/etc/X11/Xsession.d/90x11-common_ssh-agent

...
SSHAGENTARGS="-t 1h"
...

Which will limit it to 1 hour.

At Screen Lock

To do this, we need to know when Xscreensaver has locked the screen.

We do this by using xscreensaver-command.

Info

Note that you can adjust this script to work with others, such as gnome-screensaver-command. Read their documentation to see how to check if it’s locked, as they each tend to do this differently.

#!/bin/bash

xscreensaver-command -watch | while read line ; do

        if [ -n "$(echo "$line" | grep "^LOCK")" ] ; then
                echo "Screensaver locked."
                removed=""
                if [[ -n "$(pgrep ssh-agent)" ]] ; then
                        ssh-add -D
                        if [[ $? -eq 0 ]] ; then
                                removed="SSH "
                        else
                                echo "Failed to lock SSH."
                        fi
                fi

                if [[ -n "$(pgrep gpg-agent)" ]] ; then
                        echo RELOADAGENT | gpg-connect-agent
                        if [[ $? -eq 0 ]] ; then
                                removed="${removed}GPG "
                        else
                                echo "Failed to lock GPG"
                        fi
                fi

                if [[ -n "$removed" ]] ; then
                        echo "Removed ${removed}Identities"
                else
                        echo "Either no identity agents are running, or there was an error."
                fi
        fi
        sleep 3
done

Save the above file to ~/bin/lock-keys-on-locked-screen.

Make it executable.

chmod +x ~/bin/lock-keys-on-locked-screen

Then go into your desktop’s auto-start settings and add it to your auto-start list. Once done, you can either restart the computer, or just run it.

Verify

  1. Unlock your SSH key.
ssh-add ~/.ssh/id_rsa
  1. Verify it’s unlocked.
ssh-add -l
  1. Unlock your GPG key by decrypting or signing something.
  2. Lock your screen, then unlock it.
  3. Verify that GPG and SSH were locked.

This should not show any loaded keys:

ssh-add ~/.ssh/id_rsa

And of course gpg should prompt for a passphrase when decrypting/signing something.

Conclusion

And that’s it.