https://www.gnu.org/software/emacs/manual/html_node/pgg/Caching-passphrase.html
当使用 GnuPG (gpg) 作为 PGP 方案时,我们建议使用名为 gpg-agent 的程序来输入和缓存密码。
实际上,gpg-agent 不缓存密码而是私钥。另一方面,从用户的角度来看,这种技术差异是不可见的。
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
--默认缓存-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry’s timer is reset. To set an entry’s maximum lifetime, use max-cache-ttl. Note that a cached passphrase may not be evicted immediately from memory if no client requests a cache operation. This is due to an internal housekeeping function which is only run every few seconds.--最大缓存 ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-preset-passphrase. The default is 2 hours (7200 seconds).
由于私钥在RAM中存在10分钟(600秒)甚至长达2小时,这会带来安全问题吗?如果 GPG 有这些默认值,GPG 是否有任何措施来保护私钥(例如加密)?
除了RAM数据被提取的风险之外,还存在巨大的风险邪恶女仆袭击,而缩短或禁用缓存似乎并不容易。 (请参阅另一个问题对这个。)